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Abstract 

Software  frameworks  impose  constraints  on  how  plugins  may  interact  with  them.  Many  of  hese 
constraints  involve  multiple  objects,  are  temporal,  and  depend  on  runtime  values.  Additionally, 
they  are  difficult  to  specify  because  they  are  non-local  and  may  break  behavioral  subtyping.  This 
work  presents  relationships  as  a  means  for  specifying  framework  constraints,  and  it  presents  a 
formal  description  and  implementation  of  a  static  analysis  to  find  constraint  violations  in  plugin 
code.  We  define  three  variants  of  this  analysis:  one  is  sound,  one  is  complete,  and  one  provides 
compromise  of  the  two.  We  prove  soundness  and  completeness  for  the  appropriate  variants,  and 
we  show  how  the  compromise  variant  works  on  examples  from  real-world  programs.  This  allows 
the  user  to  select  the  option  which  is  the  most  cost-effective  in  practice  with  regard  to  the  number 
of  false  positives  and  false  negatives. 
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Figure  1:  ASP.NET  ListControl  Class  Diagram 

1  Introduction 

Object-oriented  frameworks  have  brought  many  benefits  to  software  development,  including  re¬ 
usable  codebases,  extensible  systems,  and  encapsulation  of  quality  attributes.  However,  frame¬ 
works  are  used  at  a  high  cost;  they  are  complex  and  difficult  to  learn  [11].  This  is  partially  due  to 
the  complexity  of  the  semantic  constraints  they  place  on  the  plugins  that  utilize  them. 

As  an  example,  consider  a  constraint  in  the  ASP.NET  web  application  framework.  The  ASP- 
NET  framework  allows  developers  to  create  web  pages  with  user  interface  controls  on  them.  These 
controls  can  be  manipulated  programatically  through  callbacks  provided  by  the  framework.  A 
developer  can  write  code  that  responds  to  control  events,  adds  and  removes  controls,  and  changes 
the  state  of  controls. 

One  task  that  a  developer  might  want  to  perform  is  to  programmatically  change  the  selection 
of  a  drop  down  list.  The  ASP.NET  framework  provides  the  relevant  pieces,  as  shown  in  Figure  1 1 . 
Notice  that  if  the  developer  wants  to  change  the  selection  of  a  DropDownList  (or  any  other  derived 
ListControl),  she  has  to  access  the  individual  Listltems  through  the  ListltemCollection 
and  change  the  selection  using  setSelected.  Based  on  this  information,  she  might  naively  change 
the  selection  as  shown  in  Listing  1.  Her  expectation  is  that  the  framework  will  see  that  she  has 
selected  a  new  item  and  will  change  the  selection  accordingly. 

When  the  developer  runs  this  code,  she  will  get  the  error  shown  in  Figure  2.  The  error  message 
clearly  describes  the  problem;  a  DropDownList  had  more  than  one  item  selected.  This  error  is 
due  to  the  fact  that  the  developer  did  not  de-select  the  previously  selected  item,  and,  by  design, 
the  framework  does  not  do  this  automatically.  While  an  experienced  developer  will  realize  that 
this  was  the  problem,  an  inexperienced  developer  might  be  confused  because  she  did  not  select 
multiple  items. 

The  stack  trace  in  Figure  2  is  even  more  interesting  because  it  does  not  point  to  the  code  where 
the  developer  made  the  selection.  In  fact,  the  entire  stack  trace  is  from  framework  code;  there  is 
no  plugin  code  referenced  at  all!  At  runtime,  the  framework  called  the  plugin  developer’s  code 
in  Listing  1,  this  code  ran  and  returned  to  the  framework,  and  then  the  framework  discovered  the 
error.  To  make  matters  worse,  the  program  control  could  go  back  and  forth  several  times  before 
finally  reaching  the  check  that  triggered  the  exception.  Since  the  developer  doesn’t  know  exactly 
where  the  problem  occurred,  or  even  what  object  it  occurred  on,  she  must  search  her  code  by  hand 
to  find  the  erroneous  selection. 

'To  make  this  code  more  accessible  to  those  unfamiliar  with  C#,  we  are  using  traditional  getter/setter  syntax  rather 
than  properties. 
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Listing  1:  Incorrect  selection  for  a  DropDownList 

1  DropDownList  list; 

2 

3  private  void  Page_Load(object  sender,  EventArgs  e) 

4  { 

5  Listltera  newSel; 

6  newSel  =  list . getlterasO . findByValue("foo") ; 

7  newSel . setSelected(true) ; 

8  } 


Cannot  have  multiple  items  selected  in  a  DropDownList. 

Stack  Trace: 

[HttpException  (0x80004005):  Cannot  have  multiple  items  selected  in  a  DropDownLi st. ] 

System. Web. UI. WebControl s. DropDownLi st. VerifyMul ti Sel ect ()  +133 

System. Web . UI . WebControl s . Li stCont rol . RenderCont ents (Html 7 extWr i ter  wr  i ter)  +206 

Sy stem. Web. UI. WebControl s. WebControl . Render(HtmlTextWri ter  writer)  +43 

System. Web. UI. Control . RenderControl Internal (Html TextWr iter  writer,  Control  Adapter  adapter)  +74 
System. Web. UI. Control . RenderControl (HtmlTextWri ter  writer,  Control  Adapter  adapter)  +291 

Figure  2:  Error  with  partial  stack  trace  from  ASP.NET 

The  correct  code  for  this  task  is  in  Listing  2.  In  this  code  snippet,  the  developer  de-selects  the 
currently  selected  item  before  selecting  a  new  item. 

This  example,  and  many  others  we  have  found  on  the  ASP.NET  developer  forum,  shows  three 
interesting  properties  of  framework  constraints. 

Framework  constraints  involve  multiple  classes  and  objects.  Listing  1  references  three  objects, 
and  Listing  2  required  four  objects  to  make  the  proper  selection.  The  framework  code  that  the 
plugin  used  was  located  in  four  classes. 

Framework  constraints  are  non-local.  While  the  DropDownList  was  the  class  that  checked 
the  constraint  (as  seen  by  the  stack  trace),  the  constraint  itself  was  on  the  methods  of  List  Item. 
However,  the  Listltem  class  is  not  aware  of  the  DropDownList  class  or  even  that  it  is  within  a 
ListControl  at  all,  and  therefore  it  should  not  be  responsible  for  enforcing  the  constraint.  The 
non-local  nature  of  these  constraints  also  makes  them  difficult  to  document,  as  it  is  unclear  where 
the  documentation  should  go  so  that  the  plugin  developer  will  discover  it.  In  this  example,  had  the 
framework  developer  placed  the  relevant  documentation  in  the  DropDownList,  the  plugin  devel- 
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Listing  2:  Correctly  selecting  an  item  using  the  ASP.NET  API 
DropDownList  list; 

private  void  Page_Load(object  sender,  EventArgs  e) 

{ 

Listltem  newSel,  oldSel; 

oldSel  =  list . getSelectedltemO ; 

oldSel . setSelected(false) ; 

newSel  =  list . getltemsO ■ findByValue("foo") ; 

newSel . setSelected(true) ; 
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Listing  3:  Selecting  on  the  wrong  DropDownList 

DropDownList  listA; 

DropDownList  listB; 

private  void  Page_Load(object  sender,  EventArgs  e) 

{ 

Listltera  newSel,  oldSel; 
oldSel  =  listA. getSelectedltemO ; 
oldSel . setSelected(false) ; 

newSel  =  listB. getltemsO . findByValue("foo") ; 
newSel . setSelected(true) ; 


oper  might  still  not  find  it  because  she  was  using  methods  of  the  Listltem  class. 

Framework  constraints  have  semantic  properties.  Framework  constraints  are  not  only  about 
structural  concerns  such  as  method  naming  conventions  or  types;  the  developer  must  also  be  aware 
of  semantic  properties  of  the  constraint.  There  are  several  semantic  properties  shown  by  this  ex¬ 
ample.  First,  the  plugin  developer  had  to  be  aware  of  which  objects  she  was  using  to  avoid  the 
problem  in  Listing  3.  In  this  example,  the  developer  called  the  correct  operations,  but  on  the 
wrong  objects.  She  also  had  to  be  aware  of  the  primitive  values  (such  as  true  or  false)  she  used 
on  the  calls  to  change  the  selection.  Finally,  she  had  to  be  aware  of  the  ordering  of  the  operations. 
In  Listing  2,  had  she  swapped  lines  6  and  7  with  lines  8  and  9,  she  would  have  caused  unex¬ 
pected  runtime  behavior  where  the  selection  change  does  not  occur.  This  behavior  occurs  because 
getSelectedltem  returns  the  first  selected  Listltem  that  it  finds  in  the  DropDownList,  and  that 
may  be  the  newly  selected  item  rather  than  the  old  item. 

In  previous  work  [10],  we  proposed  a  preliminary  specification  approach  and  sketched  a  hy¬ 
pothetical  analysis  to  discover  mismatches  between  the  plugin  code  and  the  declared  constraints 
of  the  framework.  The  previous  work  primarily  discussed  the  requirements  for  such  a  system  and 
explored  a  prototype  specification.  In  this  paper,  we  make  three  contributions: 

1.  We  show  that  the  concept  of  developer-defined  relations  across  objects  captures  the  primary 
programming  model  used  to  interact  with  frameworks.  We  use  these  relations  to  specify 
framework  constraints  in  a  concise  manner.  (Section  2) 

2.  We  propose  (Section  3)  and  formally  define  (Section  4)  a  static  analysis  that  detects  where 
a  plugin  violates  framework  constraints.  We  define  three  variants  of  this  analysis:  a  sound 
variant,  a  complete  variant,  and  a  third  variant  that  is  neither  sound  nor  complete.  We  prove 
soundness  and  completeness  for  the  appropriate  variants,  and  we  argue  that  the  third  variant 
is  a  better  compromise  for  practical  use.  Additionally,  there  are  only  minor  differences 
between  the  variants,  so  it  is  it  simple  to  swap  between  them. 

3.  We  implemented  the  compromise  variant  of  the  analysis  within  the  Eclipse  IDE  and  ran  it  on 
code  based  on  examples  from  framework  help  forums.  We  show  that  the  constraints  capture 
the  properties  described  and  that  the  compromise  variant  can  handle  real-world  code  with 
relatively  few  false  positives  and  false  negatives.  (Section  5) 
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2  Developer-defined  Relations  over  Objects 

WWhen  a  developer  programs  to  a  framework,  the  primary  task  is  not  about  creating  new  objects 
or  data.  In  many  cases,  programming  in  this  environment  is  about  manipulating  the  abstract  asso¬ 
ciations  between  existing  objects.  Every  time  the  plugin  receives  a  callback  from  the  framework, 
it  is  implicitly  notified  of  the  current  associations  between  objects.  As  the  plugin  calls  framework 
methods,  the  framework  changes  these  associations,  and  the  plugin  leams  more  about  how  the  ob¬ 
jects  relate.  Every  method  call,  field  access,  or  test  gives  the  plugin  more  information.  Even  when 
the  plugin  needs  to  create  a  new  object,  it  is  frequently  done  by  calling  abstract  factory  methods 
that  set  up  the  object  and  its  relationships  with  other  objects. 

The  ASP.NET  framework  exemplifies  this  means  of  interaction.  In  the  DropDownList  exam¬ 
ple,  all  the  objects  are  provided  by  the  framework,  and  the  plugin  simply  changes  their  relation¬ 
ships  with  each  other  through  calls  to  the  framework.  In  fact,  the  DropDownList  itself,  and  the 
data  within  it,  is  frequently  set  up  using  dependency  injection,  a  mechanism  in  which  the  frame¬ 
work  populates  the  fields  of  the  plugin  based  on  an  external  configuration  file  [7].  This  may  be 
done  in  several  stages,  with  the  framework  notifying  the  plugin  as  it  completes  each  stage  using 
a  callback.  When  using  dependency  injection,  the  plugin  simply  receives  and  manipulates  pre¬ 
configured  objects. 

Since  the  primary  mechanism  of  interaction  is  based  on  manipulating  relationships  between  ob¬ 
jects,  we  will  model  it  formally  using  a  mathematical  relation.  A  relation  is  a  named,  mathematical 
relation  on  several  types  t. 


Relation  ::=  name  — »  ti  x  . . .  x  Tn 
A  relationship  is  a  single  tuple  in  a  relation,  represented  as 

Relationship  ::=  namejti , . . . ,  in) 

where  £  is  a  static  representation  of  a  runtime  object. 

In  this  section,  we  introduce  three  specification  constructs  based  on  relationships.  The  first 
construct,  relationship  effects,  specify  how  framework  operations  change  associations  between  ob¬ 
jects.  The  second  construct,  constraints,  uses  relationships  to  specify  the  non-local  constraints  on 
framework  operations.  Finally,  relation  inference  rules  specify  how  relationships  can  be  inferred 
based  on  the  current  state  of  other  relationships,  regardless  of  what  operations  are  used. 

2.1  Relationship  Effects 

Relationship  effects  specify  changes  to  the  relations  that  occur  after  calling  a  framework  method. 
The  framework  developer  annotates  the  framework  methods  with  information  about  how  the  call¬ 
ing  object,  parameters,  and  return  value  are  related  (or  not  related)  after  a  call  to  the  method.  These 
annotations  describe  additions  and  removals  of  relationships  from  a  relation.  For  example,  the  an¬ 
notation  @ltem({item,  list},  ADD)  creates  an  “Item”  relationship  between  item  and  list,  while 
@ltem({item,  list},  REMOVE)  removes  this  relationship2.  Relationship  effects  may  refer  to  the 

2We  are  presenting  a  simplified  version  of  the  syntax  for  readability  purposes.  The  correct  Java  syntax  for  the  add 
annotation  appears  as  @ltem(params={"  item" ,  "  list" },  effect=ADD).  This  is  the  syntax  used  in  the  implementation. 
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Listing  4:  Relations  for  the  ListControl  API.  Every  relation  must  define  the  properties  params,  effect, 
and  test 

1  @Relation({Listltem. class,  ListControl. class}) 

2  public  ©interface  Child  { 

3  public  String}]  params; 

4  public  Effect  effect; 

5  public  String  test  = 

6  } 


parameters,  the  receiver  object,  and  the  return  value  of  a  method.  They  may  also  refer  to  primitive 
values.  Additionally,  parameters  can  be  wild-carded,  so  @ltem({*,  list},  REMOVE)  removes  all 
the  “Item”  relationships  between  list  and  any  other  object. 

In  addition  to  the  ADD  and  REMOVE  effects,  a  TEST  effect  uses  a  parameter  to  determine  whether 
to  add  or  remove  a  relationship.  For  example,  we  might  annotate  the  method  List .  contains- 
(Object  obj)  with  @ltem({obj,  this},  TEST,  return)  to  signify  that  this  relationship  is  added 
when  the  value  of  return  is  true  and  removed  when  the  value  of  return  is  false. 

As  relations  are  user-defined,  they  have  no  predefined  semantics.  Any  hierarchy  or  ownership 
present,  such  as  “Child”  or  “Item”  relations,  is  only  inserted  by  the  framework  developer.  In  fact, 
relationships  do  not  have  to  reflect  any  reference  paths  found  in  the  heap,  but  may  exist  only  as  an 
abstraction  to  the  developer.  This  allows  relations  to  be  treated  as  an  abstraction  independent  from 
code,  and  even  allows  the  same  relation  to  be  used  across  frameworks. 

To  define  a  new  relation,  the  framework  developer  creates  an  annotation  and  uses  the  meta¬ 
annotation  ©Relation  to  signify  it  as  a  relation  over  specific  types.  Listing  4  shows  a  sample 
definition  of  the  Child  relation  from  the  DropDownList  example. 

Once  the  framework  developer  defines  the  desired  relations,  they  can  be  used  as  relationship 
effects,  as  shown  in  Listing  5.  These  annotations  allow  tools  to  track  relationship  effects  through 
the  plugin  code  at  compile  time.  Listing  6  shows  a  snippet  from  a  plugin,  along  with  the  current 
relationships  after  each  instruction.  For  example,  after  line  4  in  Listing  6,  we  learn  the  relationships 
in  displayed  in  line  5  based  on  the  effects  declared  for  in  Listing  5,  lines  7-9.  This  information,  the 
relationship  context,  provides  us  with  an  abstract,  semantic  context  that  each  instruction  resides  in. 
In  the  next  section,  we  use  this  context  to  check  the  semantic  parts  of  framework  constraints. 

2.2  Constraints 

Constraints  use  relationships  in  logical  predicates  to  specify  non-local  preconditions  of  framework 
operations.  They  are  written  as  class-level  annotations,  but  as  constraints  are  non-local,  they  can 
constrain  the  operations  on  any  other  class.  Three  examples  of  constraints  on  the  DropDownList 
class  are  in  Listing  7.  As  the  examples  show,  a  constraint  has  four  parts: 

1.  operation :  This  is  a  signature  of  an  operation  to  be  constrained,  such  as  a  method  call, 
constructor  call,  or  even  a  tag  signaling  the  end  of  a  method.  Notice  that  these  operations 
may  constrain  operations  on  another  class. 

2.  trigger  predicate :  This  is  a  logical  predicate  over  relationships.  The  plugin’s  relationship 
context  must  show  this  predicate  to  be  true  for  this  constraint  to  be  triggered.  If  not,  the 
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Listing  5:  Partial  ListControl  API  with  Relation  annotations 

public  class  ListControl  { 

@List({return,  this},  ADD) 

public  ListltemCollection  getltemsO; 

//After  this  call,  we  know  two  pieces  of  information. 

//The  returned  item  is  selected,  and  it  is  a  child  of  this 

@Child({return,  this},  ADD) 

@Selected({return},  ADD) 

public  Listltem  getSelectedltemO ; 

} 

public  class  Listltem  { 

//if  the  return  is  true,  then  we  know  we  have  a  selected  item 
//if  it  is  false,  we  know  it  was  not  selected. 

@Selected({this},  TEST,  return) 

public  boolean  isSelectedO ; 

@Selected({this},  TEST,  select) 

public  void  setSelected(boolean  select) ; 

@Text({ return,  this},  ADD) 

public  String  getTextO; 

//When  we  call  setText,  remove  any  previous  Text  relationships, 

//then  add  one  for  text 

@Text({*,  this},  REMOVE) 

@Text({text,  this},  ADD) 

public  void  setText (String  text); 

} 

public  class  ListltemCollection 
@ltem({item,  this},  REMOVE) 
public  void  remove(ListItem  item); 

@ltem({item,  this},  ADD) 

public  void  add(ListItem  item) ; 

@ltem({item,  this},  TEST,  return) 

public  boolean  contains(ListItem  item); 

@ltem({item,  this},  ADD) 

@Text({text,  return},  ADD) 

public  Listltem  findByText (String  text); 

//if  we  had  any  items  before  this,  remove  them  after  this  call 

@ltem({*,  this},  REMOVE) 

public  void  clear (); 
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Listing  6:  Comments  showing  how  the  relationship  context  changes  after  each  instruction 

1  DropDownList  ddl  =  . . . ; 

2  ListltemCollection  coll; 

3  Listltem  newSel,  oldSel; 

4  oldSel  =  ddl .  getSelectedltemO  ; 

5  //Child( oldSel,  ddl),  Selected(oldSel) 

6  oldSel . setSelected(false) ; 

7  //Child( oldSel,  ddl),  ISelected(oldSel) 

8  coll  =  ddl .  getltemsO  ; 

9  //Child( oldSel,  ddl),  ! Selected(oldSel),  List(coll,  ddl) 

10  newSel  =  coll . findByText("fooM) ; 

11  //Child( oldSel,  ddl),  ! Selected(oldSel),  List(coll,  ddl), 

12  //Item(newSel,  coll),  Text(”foo”,  newSel) 
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Listing  7:  DropDownList  Selection  Constraints  and  Inferred  Relationships 

©Constraint^ 

op=”  Listltem. setSelected(boolean  select)” , 
triggers  ’ select  ==  false  and  Child(this,  Ctrl)  and 
Ctrl  instanceof  DropDownList”, 
requires=”  Selected(this)” , 
effect={”  !CorrectlySelected(ctrl)”  } 

) 

©Constraint} 

op="  Listltem. setSelected(boolean  select)" , 
trigger=” select  ==  true  and  Ch i Id (th is,  Ctrl)  and 
Ctrl  instanceof  DropDownList", 
requires="  ICorrectlySelected(ctrl)” , 
effect={"  CorrectlySelected(ctrl)" } 

) 

@Constraint( 

op=”  end— of— method” , 

trigger=" Ctrl  instanceof  DropDownList”, 

requires="  CorrectlySelected(ctrl)” , 

effect={} 

) 

@lnfer( 

trigger="  List(list,  Ctrl)  and  ltem(item,  list)”, 
infer={” Child(item,  Ctrl)”} 

) 

public  class  DropDownList  {...} 


constraint  is  ignored.  While  operation  provides  a  syntactic  trigger  for  the  constraint,  trigger 
provides  the  semantic  trigger. 

3.  requires  predicate:  This  is  another  logical  predicate  over  relationships.  If  the  constraint 
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is  triggered,  then  this  predicate  must  be  true  under  the  current  relationship  context.  If  the 
requires  predicate  is  not  true,  this  is  a  broken  constraint  and  the  analysis  should  signal  an 
error  in  the  plugin. 

4.  effect  list :  This  is  a  list  of  relationship  effects.  These  effects  will  only  be  applied  if  the 
constraint  is  triggered. 

In  the  first  example  at  the  top  of  Listing  7,  the  constraint  is  checking  that  at  every  call  to 
Listltem.  setSelected(boolean),  if  the  relationship  context  shows  that  the  argument  is  false, 
the  receiver  is  a  Child  of  a  ListControl,  and  if  the  ListControl  is  a  DropDownList,  then  it 
must  also  indicate  that  the  Listltem  is  Selected.  Additionally,  the  context  will  change  so  that 
the  DropDownList  is  not  CorrectlySelected.  The  second  constraint  is  similar  to  the  first  and  in 
enforces  proper  selection  of  List  Items  in  a  DropDownList.  The  third  constraint  ensures  that  the 
method  does  not  end  in  an  improper  state  by  utilizing  the  “end-of-method”  instruction  to  trigger 
when  a  plugin  callback  is  about  to  end. 

In  some  cases,  the  relationships  between  objects  are  implicit.  Consider  the  ListltemCollec- 
tion  from  the  DropDownList  example.  In  this  example,  the  framework  developer  would  like 
to  state  that  items  in  this  list  are  in  a  Child  relation  with  the  ListControl  parent.  However, 
it  does  not  make  sense  to  annotate  the  ListltemCollection  class  with  this  information  since 
ListltemCollections  should  not  know  about  ListControls. 

2.3  Inferred  relationships 

In  some  cases,  the  relationships  between  objects  are  implicit.  Consider  the  ListltemCollection 
from  the  DropDownList  example.  In  this  example,  the  framework  developer  would  like  to  state 
that  items  in  this  list  are  in  a  Child  relation  with  the  ListControl  parent.  However,  it  does  not 
make  sense  to  annotate  the  ListltemCollection  class  with  this  information  since  Listltem¬ 
Collections  should  not  know  about  ListControls. 

Inferred  relationships  describe  these  implicit  relationships  that  can  be  assumed  at  any  time.  In 
Listing  7,  lines  23-26  show  an  example  for  inferring  a  Child  relationship  based  on  the  relations 
ListltemCollections  and  ListControls.  Whenever  the  relationship  context  can  show  that  the 
“trigger”  predicate  is  true,  it  can  infer  the  relationship  effects  in  the  “infer”  list.  It  is  possible  to 
produce  inferred  relationships  that  directly  conflict  with  the  relationship  context.  To  prevent  this, 
the  semantics  of  inferred  relationships  is  that  they  are  ignored  in  the  case  of  a  conflict,  that  is, 
relationships  from  declared  relationship  effects  and  constraints  have  a  higher  precedence. 
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3  The  Relation  Analysis 

We  have  designed  and  implemented  a  static  analysis  to  track  relationships  through  plugin  code 
and  check  plugin  code  against  framework  constraints.  The  relation  analysis  is  a  branch-sensitive, 
forward  dataflow  analysis3.  It  is  designed  to  work  on  a  three  address  code  representation  of  Java¬ 
like  source.  We  assume  that  the  analysis  runs  in  a  framework  that  provides  all  of  these  features.  In 
this  section,  we  will  present  the  analysis  data  structures,  the  intuition  behind  the  three  variations 
of  the  analysis,  and  a  discussion  of  their  tradeoffs.  Section  4  defines  how  the  analysis  runs  on  each 
instruction. 

The  relation  analysis  is  dependent  on  several  other  analyses,  including  a  boolean  constant  prop¬ 
agation  analysis  and  an  alias  analysis.  The  relation  analysis  uses  the  constant  propagation  analysis 
for  the  TEST  effect.  For  this  purpose,  the  relation  analysis  assumes  there  is  a  function  T>  to  which 
it  can  pass  a  variable  and  learn  whether  the  represented  value  is  true,  false,  or  unknown. 

The  relation  analysis  can  use  any  alias  analysis  which  implements  a  simple  interface.  First,  it 
assumes  there  is  a  context  £  that  given  any  variable  x,  provides  a  finite  set  £  of  abstract  locations 
that  the  variable  might  point  to.  Second,  it  assumes  a  context  Ff  which  maps  every  location  £  to  a 
type  t.  The  combination  of  these  two  contexts,  <  Ff ,  £  >  is  represented  as  the  alias  lattice  A. 

The  alias  lattice  must  be  conservative  in  its  abstraction  of  the  heap,  as  defined  by  Definition  1. 

Definition  1  (Abstraction  of  Alias  Fattice).  Assume  that  a  heap  h.  is  defined  as  a  set  of  source 
variables  x  which  point  to  a  runtime  location  £  of  type  T.  Let  H  he  all  the  possible  heaps  at  a 
particular  program  counter.  An  alias  lattice  <  Fe,£  >  abstracts  H  at  a  program  counter  if  and 
only  if 

Vh£  H.  domfh.)  =  dom(£)and 

V  (xi  c — >  £  :  Ti )  e  ft  .  V  (x2  lz  :  T2)  €  h  . 

if  xi  f  x2  and  £1  =  £2  then 

V  €  Hfxi)  and  V  €  £(x2)  and  Ti  <:  £(£') 

and 

if  xi  f  x2  and  £  f  £2  then 

l\  €  £(xi)  and  i2  g  £(x2)  and  i\  f  1'2  and  Ti  <:  )  and  T2  <:  Fe  (£2 ) 

This  definition  ensures  that  if  two  variables  alias  under  any  heap,  then  the  alias  lattice  will 
reflect  that  by  putting  the  same  location  V  into  each  of  their  location  lists.  Fikewise,  if  any  heap 
can  determine  that  the  two  variables  are  not  aliased,  then  the  alias  lattice  will  reflect  this  possibility 
as  well  by  having  a  distinct  location  in  each  location  set.  The  definition  also  ensures  that  the  typing 
context  Ff  has  the  most  general  type  for  a  location. 

As  long  as  the  alias  analysis  maintains  the  abstraction  property  and  can  provide  the  required 
interface,  the  relation  analysis  can  be  proven  to  be  either  sound  or  complete.  Of  course,  a  more 
precise  alias  analysis  will  increase  the  precision  of  the  relation  analysis. 

3By  branch-sensitive,  we  mean  that  the  true  and  false  branches  of  a  conditional  may  receive  different  lattice  infor¬ 
mation  depending  upon  the  condition.  The  transfer  function  on  the  condition  is  called  twice,  once  assuming  that  the 
result  is  false,  and  once  assuming  that  it  is  true.  This  is  not  a  path-sensitive  analysis;  the  branch  condition  is  not  saved 
for  use  after  the  branches  merge  together. 
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3.1  The  Relationship  State  Lattice 

We  track  the  status  of  a  relationship  using  the  four-point  dataflow 
lattice  represented  in  Figure  3,  where  unknown  represents  either 
true  or  false  and  bottom  is  a  special  case  used  only  inside  the  flow 
function.  The  relation  analysis  uses  a  tuple  lattice  which  maps  all 
relationships  we  want  to  track  to  a  relationship  state  lattice  element. 

We  will  represent  this  tuple  lattice  as  p.  We  will  say  that  p  is  con¬ 
sistent  with  an  alias  lattice  A  when  the  domain  of  p  is  equal  to  the 
set  of  relationships  that  are  possible  under  A. 

Notice  that  as  more  references  enter  the  context,  there  are  more  possible  relationships,  and  the 
height  of  p  grows.  Even  so,  the  height  is  always  finite  as  there  is  a  finite  number  of  locations 
and  a  finite  number  of  relations.  As  the  flow  function  is  monotonic,  the  analysis  always  reaches  a 
fix-point. 

3.2  Flow  Function 

The  analysis  flow  function  is  responsible  for  two  tasks;  it  must  check  that  a  given  operation  is  valid, 
and  it  must  apply  any  specified  relationship  changes  to  the  lattice.  The  flow  function  is  defined  as 

/e;^;®(p,mstr)  =  p' 


unknown 


true  false 


bot 


Figure  3:  The  simple 
lattice  for  a  relation¬ 
ship 


where  C  are  all  the  constraints,  A  is  the  alias  lattice,  2>  is  the  boolean  constant  lattice,  p  is  the 
starting  relation  lattice,  p'  is  the  ending  relation  lattice,  and  instr  is  the  three-address  code  in¬ 
struction  on  which  we  are  running  the  analysis.  The  analysis  goes  through  each  constraint  in  C  and 
checks  for  a  match.  It  first  checks  to  see  whether  the  operation  defined  by  the  constraint  matches 
the  instruction,  thus  representing  a  syntactic  match.  It  also  checks  to  see  whether  p  determines  that 
the  trigger  of  the  constraint  applies.  If  so,  it  has  both  a  syntactic  and  semantic  match,  and  it  binds 
the  specification  variables  to  the  locations  that  triggered  the  match. 

Once  the  analysis  has  a  match,  two  things  must  occur.  First,  it  uses  the  bindings  generated 
above  to  show  that  the  required  predicate  of  the  constraint  is  true  under  p.  If  it  is  not  true,  then  the 
analysis  reports  an  error  on  instr.  Second,  the  analysis  must  use  the  same  bindings  to  produce  p' 
by  applying  the  relationship  effects. 

3.3  Soundness  and  Completeness 

Soundness  and  completeness  allow  the  user  of  the  analysis  to  either  have  confidence  that  there  are 
no  errors  at  runtime  if  the  analysis  finds  none  (if  it  is  sound)  or  that  any  errors  the  analysis  finds  will 
actually  occur  in  some  runtime  scenario  (if  it  is  complete).  For  the  purposes  of  these  definitions, 
an  error  is  a  dynamic  interpretation  of  the  constraint  which  causes  the  requires  predicate  to  fail.  In 
the  formal  semantics,  an  error  is  signaled  as  a  failure  for  the  flow  function  to  produce  a  new  lattice 
for  a  particular  instruction. 

We  define  soundness  and  completeness  of  the  relation  analysis  by  assuming  an  alias  analysis 
which  abstracts  the  heap  using  A ,  as  described  above.  For  both  of  these  theorems,  we  let  Aconc 
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- Tabfi 

b  Differences,  between  sound,  compf 
Trigger  Predicate  checks  when... 

etc.  and  compromise  variant - - - 

Requires  ^Predicate  passes  when... 

Sound 

True  or  Unknown 

True 

Complete 

True 

True  or  Unknown 

Compromise 

True 

True 

define  the  actual  heap  at  some  point  of  an  real  execution,  and  we  let  ,Aabs  be  a  sound  approximation 
of  Aconc.  We  also  let  pabs  and  pCOnc  be  relationship  lattices  consistent  with  ,Aabs  and  Aconc  where 
pabs  is  an  abstraction  of  the  concrete  runtime  lattice  pconc,  defined  as  pconc  □  pabs- 

If  the  relation  analysis  is  sound,  we  expect  that  if  the  flow  function  runs  to  completion  using 
the  imprecise  lattice  pabs,  then  any  more  concrete  lattice  will  also  run  to  completion  for  that  in¬ 
struction.  As  the  flow  function  only  runs  to  completion  if  it  finds  no  errors,  then  there  may  be 
false  positives  from  when  pabs  produces  errors,  but  there  will  be  no  false  negatives.  To  be  locally 
sound  for  this  instruction,  the  analysis  must  also  produce  a  new  abstract  lattice  that  conservatively 
approximates  any  new  concrete  lattice.  Theorem  3.1  captures  the  intuition  of  local  soundness  for¬ 
mally.  Global  soundness  follows  from  local  soundness,  the  monotonicity  of  the  flow  function,  and 
the  initial  conditions  of  the  lattice. 

Theorem  3.1  (Local  Soundness  of  Relations  Analysis). 

if /e;yiabs ( Pabs , instr)  =  pabs'  and  pconc  C  pabs 
then/e;yiconc.£(pconc,iustr)  =  pconc'  and  pconc'  C  pabs' 

If  the  relation  analysis  is  complete,  we  expect  a  theorem  which  is  the  opposite  of  the  soundness 
theorem  and  is  shown  in  Theorem  3.2.  If  a  flow  function  runs  to  completion  on  a  lattice  pconc, 
then  it  will  also  run  to  completion  on  any  abstraction  of  that  lattice.  An  analysis  with  this  property 
may  produce  false  negatives,  as  the  analysis  can  find  an  error  using  the  concrete  lattice  yet  run  to 
completion  on  the  abstract  lattice,  but  it  will  produce  no  false  positives.  Like  the  sound  analysis, 
the  results  from  the  flow  function  must  maintain  their  existing  precision  relationship. 

Theorem  3.2  (Local  Completeness  of  Relations  Analysis). 

if/e;yicobc;B(Pconc.fnstr)  =  pconc'  and  pconc  C  pabs 
then/e;ylabs;B(pabs, instr)  =  pabs'  and  pconc'  C  pQbs' 

The  relation  analysis  can  be  either  sound,  complete,  or  a  compromise  of  the  two,  by  making 
only  minor  changes  to  the  analysis.  Proofs  of  soundness  and  completeness,  for  the  sound  and 
complete  variants  respectively,  can  be  found  in  the  appendicies.  The  differences  between  the 
variants  are  summarized  in  Table  1  and  are  described  below. 

Trigger  condition.  The  trigger  predicate  determines  when  the  constraint  will  check  the  re¬ 
quired  predicate  and  when  it  will  produce  effects.  The  sound  analysis  will  trigger  a  constraint 
whenever  there  is  even  a  possibility  of  it  triggering  at  runtime.  Therefore,  it  triggers  when  the 
predicate  is  either  true  or  unknown.  The  complete  variant  can  produce  no  false  positives,  so  it  will 
only  check  the  requires  predicate  when  the  trigger  predicate  is  definitely  true.  Regardless  of  the 
variant,  if  the  trigger  is  either  true  or  unknown,  the  analysis  produces  a  set  of  changes  to  make  to 
the  lattice  based  upon  the  effects  list. 
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public  class  ListltemCollection  { 
©Item}}*,  this},  REMOVE) 

public  void  clear Q  {...} 

} 


©Constraint} 

op  =  "  ListltemCollection. clear})”  , 
trigger  =  "x  instanceof  Listltem” , 
requires  =  "true" , 
effect  =  {"!ltem(x,  this)"} 

) 


Figure  4:  Translating  a  relation  effect  with  wildcards  into  a  constraint 


Error  condition.  The  requires  predicate  should  be  true  to  signal  that  the  operation  is  safe  to 
use.  The  sound  variant  will  cause  an  error  whenever  the  required  predicate  is  false  or  unknown. 
The  complete  variant,  however,  can  only  cause  an  error  if  it  is  sure  there  is  one,  so  it  only  flags  an 
error  if  the  requires  predicate  is  definitely  false. 

Table  1  also  shows  a  variant  of  the  analysis  that,  while  neither  sound  or  complete,  we  believe 
is  a  good  compromise  between  the  two.  The  compromise  variant  attempts  to  minimize  the  number 
of  false  positives  and  false  negatives  by  only  triggering  when  the  trigger  predicate  is  definitely 
true,  but  then  signaling  an  error  if  the  requires  predicate  is  either  false  or  unknown.  While  this 
version  can  produce  false  positives  and  false  negatives,  we  believe  it  will  be  the  most  cost-effective 
compromise  in  practice,  based  on  our  experience  described  in  Section  5.  Additionally,  this  version 
may  utilize  inferred  relations,  a  feature  which  is  inherently  neither  sound  or  complete,  but  reduces 
the  specification  burden  on  the  framework  developer. 


4  Abstract  Semantics 

In  this  section,  we  present  formal  semantics  for  a  simplified  version  of  the  specifications  and  anal¬ 
ysis,  the  grammar  for  which  is  shown  in  Figure  5.  We  do  not  specialized  relations  for  equality(==) 
and  typing  (instanceof).  It  is  possible  to  add  specialized  relations  by  calling  out  to  other  flow  anal¬ 
yses  in  the  same  manner  as  is  done  with  both  the  boolean  constant  propagation  analysis  and  the 
alias  analysis. 

Relation  effects  and  wildcards  are  both  syntactic  sugar  that  can  be  easily  translated  into  a 
constraint  form.  Relation  effects  are  translated  by  considering  them  as  a  constraint  on  the  annotated 
method  with  a  true  trigger  predicate,  a  true  requires  predicate,  and  the  effect  list  as  annotated. 
Wildcards  are  easily  rewritten  by  declaring  a  fresh  variable  in  the  trigger  predicate  and  constraining 
it  to  have  the  desired  type.  Figure  4  shows  an  example  effect  with  a  wildcard  translated  into  a 
constraint. 

The  lattice  p  has  the  usual  operators  of  join  (U)  and  precision  (□),  which  work  as  expected  for 
a  tuple  lattice.  We  also  introduce  three  additional  operators,  defined  in  Figure  6.  Equivalence  join 
( IF  )  will  resolve  to  unknown  if  the  two  sides  are  not  equal.  Overriding  meet  (  FI )  has  the  property 
that  if  the  right  side  has  a  defined  value  (not  bot),  then  it  will  use  the  right  value,  otherwise  it  will 
use  the  left  value.  The  polarity  operator  (J)  will  push  all  non-bottom  values  to  the  top  of  the  lattice. 
Finally,  we  also  define  _L./i  as  a  special  lattice  which  is  consistent  with  the  alias  lattice  A  and  which 
maps  every  relationship  to  bot. 
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constraint 

cons 

Op  1  Pctx  ^  Preq  fl  Q 

predicate 

P 

= 

Pi  a  ?2  |  Pi  V  P2  |  Pi  =$  P2  1  Q  1  true  |  false 

negation  predicate 

Q 

= 

-S  |  S 

test  predicate 

S 

= 

A  |  A/y 

relation  predicate 

A 

= 

rel(y) 

bound  predicate 

M 

= 

Mi  A  M2  |  Mi  V  M2  |  Mi  ==$>  Mt  j  N  |  true  |  false 

bound  negation 

N 

= 

M|T 

bound  test 

T 

= 

r  |  R/e 

relationship 

R 

= 

rel (k) 

source  instruction 

instr 

= 

xret  =  xthiS.m(x)  |  xret  =  new  x(xj  |  eom  |  . . . 

instruction  signature 

op 

= 

TtHis-m(y  :  x)  :  xret  |  new  x(y  :  xj  |  end-of-method  ... 

ternary  logic 

t 

= 

True  False  |  Unknown 

lattice  elements 

E 

— 

unknown  |  true  |  false  bot 

flow  lattice 

P 

= 

RnE,p  0 

set  of  lattices 

? 

= 

{p}UT|0 

substitution 

a 

:= 

(y  >->«),  tr|0 

set  of  substitutions 

I 

:= 

{a}U  1 1  0 

bool  constants  lattice 

2 

— 

i  t,2  |  0 

alias  lattice 

A 

= 

<  r£;T  > 

aliases 

L 

= 

(x  1 —>£),£  0 

location  types 

r£ 

= 

(l:x),rf  |0 

spec  variable  types 

ry 

= 

(y  :x),ry  |0 

relation  type 

= 

rel  1 — >  x,  31 1  0 

constraints 

e 

= 

cons,  6  0 

relation  inference  rules 

i 

= 

PflS,T|0 

x  is  a  source  variable 
m  is  a  method  name 
rel  is  a  relation  name 

T  is  a  type 

y  is  a  spec  variable,  where  the  variables  this  and  ret  have  special  meanings 

l  is  a  label  for  a  runtime  object 

J-jl  is  a  special  lattice  which  is 

consistent  with  the  alias  lattice  A  and  where  every 

relationship  maps  to  bot 

Figure  5:  Abstract  grammar 


4.1  Checking  predicate  truth 

Before  we  show  how  constraint  checking  works,  we  must  describe  how  the  analysis  tests  the  truth 
of  a  relationship  predicate.  The  judgment  for  this  is  written  as 

A;  25;  p  h  Mt 

and  is  read  as  “Given  an  aliasing  context  and  a  constant  propagation  context,  the  lattice  p  shows 
that  bound  predicate  Mis  t”,  where  t  is  either  True,  False,  or  Unknown.  The  rules  for  this  judgment 
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Figure  6:  Lattice  Element  Operations 


are  similar  to  three-valued  logic  and  are  shown  in  Figures  7  and  8. 

In  the  sound  and  complete  variants,  the  rules  are  trivial.  The  analysis  inspects  the  lattice  to 
see  what  the  value  of  the  relationship  is  to  determine  whether  it  is  True  (relt),  False  (relf),  or 
Unknown  (rel-u-sound/complete).  If  the  lattice  maps  the  relationship  to  either  unknown  or  bot, 
then  the  predicate  is  considered  Unknown.  The  rest  of  the  predicate  rules  work  as  expected  for  a 
three- valued  logic. 

The  interesting  case  is  in  the  compromise  variant  when  the  relationship  does  not  map  to  true  or 
false.  Instead  of  using  the  rule  (rel-u-sound/complete),  the  compromise  variant  admits  the  rules 
(rel-u-compromise)  and  (infer-compromise).  These  rules  attempt  to  use  the  inferred  relationships, 
defined  in  Section  2.3,  to  retrieve  the  desired  relationship.  The  rule  for  the  inference  judgement 
p  infers  p\  is  defined  in  Figure  9.  This  rule  first  checks  to  see  if  the  trigger  of  an  inferred  relation 
is  true,  and  if  so,  uses  the  function  lattice  to  produce  the  inferred  relationships  described  by 
R[cr].  For  all  relationships  not  defined  by  R[cr],  the  lattice  function  defaults  to  bot  to  signal  that 
there  are  no  changes.  There  are  two  properties  to  note  about  the  rules  (rel-u-compromise),  (infer- 
compromise),  and  (discover): 

1.  The  use  of  inferred  relationships  does  not  change  the  original  lattice  p.  This  allows  the 
inferred  relationships  to  go  away  automatically  if  the  generating  predicate,  P,  is  no  longer 
true. 

2.  Any  inferred  relationship  must  be  strictly  more  precise  than  the  relationship’s  value  in  p,  as 
enforced  by  p'  C  p.  This  means  that  relationships  can  move  from  unknown  to  true,  but 
they  can  not  move  from  false  to  true.  This  property  guarantees  termination  and  prevents 
the  inferred  relationships  from  taking  precedence  over  declared  ones. 

Inferred  relationships  can  not  be  used  in  the  sound  and  complete  variants.  This  does  not  limit 
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A;  ®;  p  E  Mt 


p(R)  =  true 


-(REL-TRUE) 


A;  B;p  h  R  True 

p(R)  =  E  E  ^  true  E  ^  false 
A;  23;  p  h  R  Unknown 


p(R)  =  false 
A;  23;  p  h  R  False 


(REL-FALSE) 


(REL-UNKNOWN-SOUND/COMPLETE) 


p(R)  =  E  E  ^  true  E  ^  false 
A; 23  h  p  infers  p'  p  FI  p'  F  Rt  t is  True  or  False 
A;  23;  p  F  R  t 

p(R)  =  E  E  ^  true  E  ^  false 
^3p  .  A;®  h  p  infers  p' 


-(INFER-COMPROMISE) 


A;  ®;  p  E  R  Unknown 
A;23;pFRt  ®(ftest)=t  t  ^  Unknown 


(REL-UNKNOWN-COMPROMISE) 


(REL-TEST-T) 


A;  ®;  p  F  R/£test  True 
A;®;pERti  ®(Etest)=t2  t]  ^  Unknown  t2  ^  Unknown  ti  t2 


A; ®;p  F  R  Unknown 
A;  ®;  p  E  R/ftest  Unknown 

A;  23;  p  E  T  Unknown 


A;®; p  E  R/ftest  False 

A;®(£test)  =  Unknown  A;®;p  E  Rt 


REL-TEST-E) 


(  REL— TEST— U1 } 


A;  ®;  p  E  R/ftest  Unknown 


-  (REL— TEST  — U2) 


A;  ®;  p  E  — T  Unknown 


tR  — UNKNOWN) 


A;  ®;  p  E  T  False 
A;  ®;  p  I - T  True 1 


tR— TRUE ) 


A;  ®;pET  True 
A;  ®;  p  E  -T  False 


(—■R  — FALSE) 


A;®;  p  E  Mi  False 

- (TRUE)  - — - (FALSE)  - — - (  =(•  -TRUE1  ) 

A; ®;  p  E  true  True  A;®;  p  E  false  False  A;®;pEMi  =$  M2  True 


A;  ®;  p  E  P2  True 


A;®;pE  M]  =A>  M2  True 


-TRUE2) 


A;®;pEMiTrue  A;®; p  E  M2  False 
A;®;pEM]  =E  M2  False 


-( 


-FALSE) 


Figure  7:  Check  predicate  truth  under  a  lattice 


the  expressiveness  of  the  specifications,  as  inferred  relations  can  always  be  written  directly  within 
the  constraints.  Doing  so  does  make  the  specifications  more  difficult  to  write;  the  framework  devel¬ 
oper  must  add  the  inferred  relations  to  any  constraint  which  will  also  prove  the  trigger  predicate. 
Since  inferred  relations  do  change  the  semantics,  they  are  not  syntactic  sugar,  but  they  are  not 
necessary  for  reasons  beyond  the  ease  of  writing  specifications. 


4.2  Matching  on  an  operator 

In  order  to  check  a  constraint,  the  analysis  must  determine  whether  a  source  instruction,  called 
instr,  matches  the  syntactic  operation  op  defined  by  a  constraint.  This  is  realized  in  the  judgment 

A;  ry  E  instr  :  op  l=F  (I\  Iu) 
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A;  ®;  p  F  Mt 


A;®;pFMi  Unknown  A;  23;  p  F  M?  Unknown 
i;B;p  h  M]  =$■  M2  Unknown 

A;®;  p  h  Mi  True  A;®;  p  F  M2  Unknown 
A;B;ph  Mj  =^>  M2  Unknown 

A;B;ph  M]  Unknown  A;  ®;  p  F  M2  False 


-UNKNOWN!  ) 


-UNKNOWN!) 


A;B;pFMi  =£•  M2  Unknown 

A;  ®;  p  F  Mi  True  A;®;pFM2True 
A;  ®;  p  F  Mi  A  M2  True 

A;  ®;  p  F  M2  False 


-UNKNOWN3) 


(A-TRUE) 


A;®;  p  F  Mi  False 


-  (A— FALSE!) 


A;  ®;  p  F  Mi  A  M2  False 
A;  ®;  p  F  Mi  True  A;  ®;  p  h  M2  Unknown 


(A— FALSE!  ) 


®;  p  F  Mi  A  M2  False  A;  ®;  p  h  Mi  A  M2  Unknown 

A;B;ph  Mi  Unknown  A;®;phM2True 


-  (A— UNKNOWN!  ) 


A;  ®;  p  F  Mi  A  M2  Unknown 

A;B;ph  Mi  Unknown  A; ®;  p  F  M2  Unknown 
A;  ®;  p  F  Mi  A  M2  Unknown 

A;  ®;  p  F  Mi  True 

(V-TRUE!) 


-(A-UNKNOWN!) 


-  ( A— UNKNOWN3) 


A;  ®;  p  F  M2  True 


A;  ®;  p  F  Mi  V  M2  True  A;  ®;  p  F  Mi  V  M2  True 

A;  ®;  p  F  Mi  False  A;  ®;  p  F  M2  False 


(V-TRUE!) 


A;  ®;  p  F  Mi  V  M2  False 

A;B;pF  Mi  False  A;®;  p  F  M2  Unknown 
A;  ®;  p  F  Mi  V  M2  Unknown 

A;  ®;  p  F  Mi  Unknown  A;  ®;  p  F  M2  False 
A;  ®;  p  F  Mi  V  M2  Unknown 

A;®;pF  Mi  Unknown  A; ®;  p  F  M2  Unknown 
A;  ®;  p  F  Mi  V  M2  Unknown 


(V-FALSE) 


(V— UNKNOWN! ) 


(V-UNKNOWN!) 


-  (V— UNKNOWN3) 


Figure  8:  Check  predicate  truth  under  a  lattice 


p  infers  p' 


PfQei 


p  F  P[ct]  True  p'  =  lattice (Q [a]; A;®) 
A;  ®  F  p  infers  p' 


p'cp 

- (DISCOVER) 


Figure  9:  Infer  new  relationships 


with  rules  defined  in  Figure  10.  Given  the  alias  lattice  A  and  a  typing  environment  for  the  free 
variables  in  op,  this  judgment  matches  instr  to  op  and  produces  two  disjoint  sets  of  substitutions 
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A\  Fy  h  instr  :  op  l=V  (Z*,  Zu) 

FV(xthts.m(y  :  x)  :  xret)  C  Ty  (I1,!11)  =  findLabelsfA;  Fy;xret,  xthis,  x;  ret,  this,  y) 

- — - - j - (INVOKE 

A\  Fy  I-  xret  —  xthis •  iei (x)  •  Tthis.m(y  :  t)  :  xret  1=^  (X  ,  X  ) 

FV(  new  x(y  :  x))  C  Fy 

(Z^Z11)  =  findLabels(yL;Fy;xret,x;this,y) 

- — - _  _ - j - (CONSTRUCTOR) 

A]Yy  h  xret  =  new  m(x)  :  new  x(y  :  x)  l=V  (Z  ,  Z  ) 

A\Yy  h  eom  :  end-of-method  ({0},  0)  ^  1 


findLabels(yi;  ry;x;y)  =  (Zt,Zu) 

|x|  =  |y|  =  n 

=  {(yi  1 — ^  )>  ■  •  •  >  (yn  1 — >  ^n)  I 

ViG  1  ...n.Z(xi)  A  F£(ri)  <:  Fy(yi)} 

=  {(yi  |— >  Fi  ))•■•,  (yn  >  fn) 

Vie  1  ...n.ti  €  XL(xi)  A  ix'.x'c  F£(€t)  A  x'  <:  FyfyOj-Z1 

- t - (FIND  LABELS) 

findLabels(<  Ff,Z  >;  ry;x;y)  =  (Zt,Zu) 

Figure  10:  Matching  instructions  to  operations  and  type  satisfaction 

that  map  specification  variables  in  op  to  heap  locations.  The  first  set,  Z\  represents  possible 
substitutions  where  the  locations  are  all  known  to  be  a  subtype  of  the  type  required  by  the  variables. 
The  second  set,  Iu,  are  potential  substitutions  where  the  locations  may  or  may  not  have  the  right 
type  at  runtime. 

As  an  example,  we  will  walk  through  the  rule  (invoke).  The  first  premise  checks  that  the  free 
variables  in  op  are  in  fy,  and  the  second  premise  builds  the  substitution  set  using  the  findLabels 
function.  Each  substitution  in  the  set  will  map  the  specification  variables  in  op  (this,  ret,  and 
yi . . .  yn)  to  a  location  in  the  heap  that  is  aliased  by  the  appropriate  source  variables  in  instr 
(Xthis,  xret,  and  Xi . . .  xn). 

To  produce  the  set  the  findLabels  function  must  generate  a  substitution  for  each  yi  in  y.  It 
starts  by  verifying  that  the  corresponding  source  variable  Xi  points  to  only  one  location  (,  and  it 
checks  to  see  if  the  type  of  that  location  is  a  subtype  of  the  type  required  for  yj.  Every  substitution 
cr  which  fits  these  requirements  is  in  LT 

Lu  is  a  more  interesting  set.  Unlike  Zl,  it  checks  all  locations  which  xx  aliases  and  records  a 
possible  substitution  for  each.  Additionally,  when  it  checks  the  type,  it  allows  the  location  if  there 
is  even  a  possibility  of  it  being  the  right  type.  As  an  example,  consider  the  class  hierarchy  and 
use  of  findLabels  shown  in  Figure  1 1 .  In  the  first  row,  i  is  definitely  substitutable  for  y,  so  it  is  a 
substitution  in  Ll.  In  the  second  row,  y  can  never  be  substituted  by  (,  so  both  sets  are  empty.  In 
the  third  and  fourth  rows,  l  may  be  substitutable  for  y  (if  i  has  type  B  or  C,  respectively),  so  both 
substitutions  are  possibly,  but  not  definitely,  allowed  and  are  therefore  in  Lu. 

The  need  for  Lu  may  seem  surprising,  but  the  rationale  behind  it  is  that  framework  constraints 
do  not  always  adhere  to  behavioral  subtyping.  Consider  the  DropDownList  selection  constraint 
being  analyzed  for  the  code  in  Listing  8.  Since  list  is  of  type  ListControl,  the  trigger  clause 
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f i nd La bels(<  (  :  Tg,  x  i— >  {(}  >;y  :  Ty;  x;y)  =  (LL,  Lu) 


Te 

Ty 

I1 

Iu 

B 

A 

{(y  ->  m 

0 

B 

D 

0 

0 

A 

B 

0 

{(y  -> «)} 

A 

D 

0 

{(y  -> «)} 

Figure  11:  The  difference  between  ZL  and  Zu 


Listing  8:  Generically  changing  the  selection  on  a  ListControl 

1  ListControl  list  =  . . . ; 

2  Listltem  item; 

3  item  =  list.getltemsO . findByValue("foo") ; 

4  item. setSelected(true) ; 


of  the  first  constraint  in  Listing  7  will  not  be  true,  and  the  constraint  will  never  trigger  an  error. 
However,  we  would  like  this  to  trigger  a  potential  violation  in  the  sound  variant  since  list  could  be 
a  DropDownList.  The  root  of  the  problem  was  that  DropDownList  is  not  following  the  principle 
of  behavioral  subtyping;  it  has  added  preconditions  to  methods  that  the  base  class  did  not  require. 
Therefore,  a  DropDownList  is  not  always  substitutable  where  a  ListControl  is  used!  While 
frustrating,  this  appears  to  be  a  common  problem  with  frameworks.  Inheritance  was  used  here 
rather  than  composition  because  the  type  is  structurally  the  same,  and  it  is  almost  behaviorally 
the  same.  In  fact,  the  methods  on  DropDownList  itself  do  appear  to  be  behaviorally  the  same. 
However,  the  subtype  added  a  few  constraints  to  other  classes,  like  the  Listltem  class. 

By  keeping  track  of  Zt  and  Lu  separately,  it  will  allow  the  variants  of  the  analysis  to  use  them 
differently.  In  particular,  the  sound  variant  will  trigger  errors  from  substitutions  in  LL\  while  the 
complete  and  compromise  variant  will  only  use  it  to  propagate  lattice  changes  from  the  effect  list. 

4.3  Checking  a  single  constraint 

We  will  now  show  how  the  analysis  checks  an  instruction  for  a  single  constraint.  This  is  done  with 
the  judgment 

A]  “B;  p;  cons  h  instr  w  pA 

shown  in  Figure  12.  This  judgment  takes  the  alias  lattice,  the  relationship  lattice,  and  a  constraint, 
and  it  determines  what  changes  to  make  to  the  lattice  for  the  given  instruction.  The  lattice  changes 
are  represented  in  pA,  where  a  relationship  mapped  to  bot  signifies  no  changes. 

The  analysis  starts  by  checking  whether  the  instruction  matches  the  operation  used  by  the 
constraint.  If  not,  then  instruction  matching  rules  will  return  no  substitutions,  the  rule  (no-match) 
will  apply,  and  no  changes  are  made  by  returning  ±A.  If  there  are  substitutions,  as  shown  in  rule 
(match),  then  the  analysis  must  check  this  constraint  for  every  aliasing  configuration  possible,  as 
represented  by  I1  and  Zu.  This  rule  checks  that  the  constraint  passes  for  each  aliasing  configuration 
a  and  receives  the  lattice  changes  for  each.  If  the  substitution  was  from  Lu,  then  the  analysis  must 
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A\  23;  p;  cons  h  instr  w  pA 


cons  =  op  :  Pctx  PTeq  4  Q  .A;FV(cons)  b  instr  :  op  l=V  (I1,!11) 

IP*  =  {pA  |  cr  S  I1  A  A\  23;  p;  a  bpart  cons  pA} 

IPU  =  (I  PA  I  cr  e  Iu  A  A\  23;  p;  a  bpart  cons  pA} 
i‘/0Viu/0  10*1  =  11^  |pui  =  |iui  yA  =  j>tur 

- . - (MATCH) 

A ;  23;  p;  cons  b  instr  <— >  (  Id  IPA) 

cons  =  op  :  Pctx  Preq  4  Q  ,A;FV(cons)  b  instr  :  op  l=V  (0,0) 

- — - - - (NO-MATCH) 

A\  23;  p;  cons  b  rnstr  ^  ±A 


A\  23;  p;  a  bpart  cons  pA 


ry 


ry 


Cons  —  Op  .  P ctx  =b  P req  v  Q 

=  FV(op)  U  FV(Pctx)  U  FV(Q)  allValidSubsf/l; crop; Fy)  =  (l\  Iu) 

9*  =  {pA  |  cr  e  1}  A  A\  23;  p;  a  bfun  cons  pA} 

IPU  =  (I  PA  I  G  €  Iu  A  A\ 23;  p;  cr  bfun  cons  w  pA} 

IV0VT/0  |Zt|  =  |3>t|  [IU|  =  |TU|  ?A=?tU?u 

- -r - (BOUND) 

A;  23;  p;  crop  bpart  cons  w  (  LJ  IP  ) 

Cons  —  Op  .  P ctx  P req  v  Q 

=  FV(op)  U  FV(Pctx)  U  FV(Q)  allValidSubs(.A;  crop;  Fy )  =  (0, 0) 

- — - ■ - (CANT-BIND) 

A;  T>\  p;  cjop  bpart  cons  ^  ±a 


allValidSubs(yi;  cr;  ry)  =  (I1,  Iu) 


I1  =  {cr'  |  o'  D  cr  A  dom.(cr')  =  dom(Fy)  A  Vy  i— >  £  G  cr'  .  Ff (f)  <:  Fy(y)} 
Iu  =  {cr'  |  cr'  0  cr  A  domtcr')  =  dom(Fy)  A 
V  y  i— >  t  £  cr' .  3  x' .  x'  <:  F{(<!)  A  x'  <:  Fy(y)}—  I1 
allValidSubs(<  Fc;iL  >;o;Fy)  =  (It,Iu) 


(VALIDSUBS) 


Figure  12:  Check  a  single  constraint 


use  the  \  operator  on  the  change  lattice  and  the  starting  lattice  to  produce  the  correct  change  lattice. 
This  is  done  because  the  analysis  cannot  be  sure  if  the  substitution  is  valid  at  runtime,  so  it  can  only 
make  changes  into  the  unknown  state.  Setting  all  changes  to  unknown  could  cause  the  analysis  to 
lose  precision  when  pA  prescribes  a  change  that  already  exists  in  p.  A  possible  solution  is  to  let 
the  polarizing  operator  return  bot  if  the  prescribed  changes  already  exist  in  the  lattice  p  (we  have 
not  yet  proven  this  extension  is  sound). 

The  last  step  the  rule  makes  is  to  combine  all  the  lattice  changes,  from  all  substitutions,  using 
id  .  The  use  of  id  means  that  a  change  is  only  made  to  true  or  false  if  all  the  aliasing  con¬ 
figurations  agree  to  it.  Likewise,  a  signal  to  make  no  changes  by  way  of  bot  must  also  show  in 
all  configurations.  If  any  configurations  disagree  about  a  lattice  change,  then  the  lattice  element 
changes  to  unknown. 

Once  the  analysis  has  a  syntactic  match,  it  tries  to  find  the  aliasing  configurations  for  a  semantic 
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match  using  the  judgment 


A;  p;  ct  hpart  cons  w  pA 

The  analysis  must  get  all  aliasing  configurations  that  are  consistent  with  the  current  aliases  in  a 
and  Py.  cr  represents  the  substitutions  which  are  already  made  by  matching  the  instruction,  while 
Py  represents  the  free  variables  and  their  types  which  the  analysis  should  find  substitutions  for. 
The  substitutions  are  found  by  the  a II ValidSu bs  function,  shown  in  Figure  12.  The  rule  (bound) 
proceeds  in  a  similar  manner  to  the  rule  (match),  except  it  checks  the  constraint  using  the  judgment 

A\  p;  o  I — fun  cons  »  pA 

The  rules  for  this  judgment,  shown  in  Figure  13,  are  the  primary  point  of  difference  between  the 
variants  of  the  analysis. 

Sound  Variant 

The  sound  variant  first  checks  PtrgM  under  p.  It  uses  this  to  determine  which  rule  applies.  If 
P-trgtcr]  is  True,  as  seen  in  rule  (full-t-sound),  then  the  analysis  must  check  if  Preq  is  True  under 
p  given  any  substitution.  Since  this  is  the  sound  variant,  it  will  only  accept  substitutions  from  Lt. 
If  Preq  is  not  True  with  a  substitution  from  then  the  analysis  produces  an  error.  If  there  is  no 
error,  the  rule  produces  the  effects  dictated  by  R [cr] .  The  function  lattice  simply  converts  this  list 
to  a  lattice,  where  all  unspecified  relationships  map  to  bot.  If  Ptrg[cr]  is  False,  then  the  analysis 
uses  rule  (full-f-sound).  In  this  situation  the  constraint  does  not  trigger,  so  the  requires  predicate 
is  not  checked  and  the  analysis  returns  no  changes  using  _L/l. 

In  the  case  that  P^rg [cr]  is  Unknown,  the  sound  variant  proceeds  in  a  similar  manner  to  the  case 
where  P^gfc]  is  True  as  it  must  consider  the  possibility  that  the  trigger  predicate  is  actually  true. 
In  fact  the  only  difference  in  the  rule  (full-u-sound)  is  that  the  analysis  must  use  the  polarizing 
operator  to  be  conservative  with  the  effects  it  is  producing  in  case  the  trigger  predicate  was  actually 
false. 

Complete  Variant 

Like  the  sound  variant,  the  complete  variant  starts  by  checking  Ptrg[cr]  under  p.  If  Ptrg[cr]  is  True, 
as  seen  in  rule  (full-t-complete),  then  the  analysis  must  check  Preq  under  p  given  any  substitution. 
As  this  is  the  complete  variant,  the  analysis  does  not  care  whether  the  substitution  came  from  Ll 
or  Lu,  and  it  does  not  matter  whether  Preq  is  True  or  Unknown.  If  no  substitutions  work,  either 
because  none  exist  or  because  they  all  show  Preq  to  be  false,  then  the  analysis  produces  an  error. 
Otherwise,  if  there  is  no  error,  then  the  rule  produces  some  effects.  Since  the  constraint  trigger  was 
true,  it  will  produce  exactly  the  effects  dictated  by  R[cr].  If  the  analysis  determines  that  Ptrg[cr]  is 
False,  then  it  uses  the  rule  (full-f-complete).  Like  the  sound  variant,  the  requires  predicate  is  not 
checked  and  the  analysis  returns  no  changes. 

Finally,  if  Ptrg[cr]  is  Unknown,  the  complete  variant  will  not  check  Preq  as  it  cannot  be  sure 
whether  the  constraint  is  actually  triggered  and  it  should  not  produce  an  error.  However,  it  must 
still  produce  some  conservative  effects  in  case  the  constraint  is  triggered  given  a  more  concrete 
lattice.  Like  the  sound  rule  in  the  case  of  an  unknown  trigger,  the  rule  uses  the  polarizing  operator 
J  to  produce  only  conservative  effects. 
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A\  p;  c r  I — fun  cons  pA,  Sound  Variant 


cons  =  op  :  Pctx  =$■  Preq  4  Q  A;B;p  h  Pctx[d]  True 
(It,  Iu)  =  allValidSubsfyl;  cr;  FV(cons)) 

3  cr'  G  Zl  .  A ;B;  p  h  Preq[ff']  True 

A\  B;  p;  cr  I  full  cons  lattice ( Q [cr] ;  .A;  23) 

cons  =  op  :  Pctx  =£•  Preq  4  Q  .A;B;  p  h  Pctx[(j]  False 


(FULL— T— SOUND) 


A;  B;  p;  cr  hfuN  cons  ^  J_a 


(EULL-E-SOUND) 


cons  =  op  :  Pctx  Preq  4  Q  B;  p  h  Pctxlo]  Unknown 
(I1 ,  Zu)  =  a MVa I idSu bs(>A;  cr;  FV(cons)) 

3  cr'  e  Ll  .  A\  B;  p  F  Preq  [cr']  True  pA  =  lattice ( Q  [cr];  A\  B) 


Fl;B;p;crhfu||  cons  p 


(EULL-U-SOUND) 


A\  B;  p;  cr  Ffun  cons  c-4  pA,  Complete  Variant 


cons  =  op  :  Pctx  PTeq  XX  Q  Tl;B;p  h  PctxW  True 
(l\lu)  =  allValidSubs(Fl;  cr;  FV(cons)) 

3  cr'  G  It  U  Iu  .  A\  B;  p  h  Preq  [cr']  True  V  A\  B;  p  h  Preq  [cr']  Unknown 
FI; B;  p;  ct  hfun  cons  lattice (Q[a];yi;B) 

cons  =  op  :  Pctx  Preq  XX  Q  A\  B;  p  h  P ctx [o]  False 


(EULL-T-COMPLETE) 


A\  B;  p;  a  hfun  cons  ^  ±A 

Cons  —  Op  .  P ctx  P req  If  Q 
Tl;B;p  h  Pctx[cr]  Unknown  pA  =  lattice  [Q[cr];  A; B) 

A\  B;  p;  a  hfun  cons  ^->X  PA 


(EULL-E-COMPLETE) 


(EULL-U-COMPLETE) 


A\  B;  p;  cr  hfun  cons  pA,  Compromise  Variant 


cons  =  op  :  Pctx  =»•  Preq  4  Q  A;B; p  h  Pctx[cr]  True 
(L1,  Iu)  =  a  1 1  Va  lidSu  bs(yi;  cr;FV(cons)) 

3  cr'  e  I1  .  A\  B;  p  h  Preq  [cr']  True 

yi;B;  p;  a  hfun  cons  lattice  (Q  [a];  A;  B) 

cons  =  op  :  Pctx  =$■  Preq  XX  Q  A;  B;  p  h  Pctx[cr]  False 
A;  B;  p;  a  hfun  cons  ±A 

COnS  —  Op  .  Pctx  Preq  XX  Q 
A;B;p  h  Pctx[cr]  Unknown  pA  =  lattice [Q[cr];  A;  B) 

A\  B;  p;  a  hfuM  cons  -->X  PA 


(FULL-T-COMPROMISE) 


(EULL-F-COMPROMISE) 


-(FULL-U -COMPROMISE) 


Figure  13:  Checking  a  fully  bound  constraint  and  producing  effects.  Shading  highlights  the  differences 
between  the  three  variants. 
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/e;yt;®(p>  instr)  =  p' 

V  const  e  C  . 

/alias  (A,  instr)  =  A' 

A 13;  p;  const  F  instr  ^  pf  pA  =  Ll{pf }  ( i€l...n ) 

rrt  ntA/  m\ict 

.  (1  l_  W  V  V  COIN 

fc\A\rB  ( Pi  Instr)  =  transfer(p,./l  )  FI  p 

Figure  14:  The  flow  function  for  the  relation  analysis 


Compromise  Variant 

The  compromise  variant  is  a  combination  of  the  sound  and  complete  variants.  It  has  the  same  rule 
for  False  as  the  other  two  variants,  (full-f-compromise).  The  rule  (full-t-compromise)  is  the  same 
as  the  True  rule  for  soundness,  while  the  rule  (full-u-compromise)  is  the  same  as  the  Unknown  rule 
for  completeness.  This  means  that  this  variant  can  produce  both  false  positives  and  false  negatives. 
The  false  negatives  can  occur  when  PtTg  is  Unknown  under  p,  but  a  more  precise  lattice  would 
have  found  Ptrg  to  be  True  and  eventually  generated  an  error.  The  false  positives  occur  when  Ptrg 
is  True  under  p  and  Preq  is  Unknown  under  p,  but  Preg  would  have  been  True  under  a  more  precise 
lattice. 

4.4  The  flow  function 

The  flow  function  for  the  analysis  checks  all  the  individual  constraints  and  produces  the  final  lattice 
for  each  operation.  Using  the  judgments  defined  in  the  previous  section,  the  flow  function  iterates 
through  each  constraint  and  receives  a  change  lattice  for  each.  As  shown  in  Figure  14,  these  lattices 
are  combined  using  the  join  operator.  Once  the  analysis  has  the  final  change  lattice  pA,  it  applies 
the  changes  using  the  overriding  meet  operation.  This  will  preserve  the  old  values  of  a  relationship 
if  the  change  lattice  maps  to  bot,  but  it  will  override  the  old  value  otherwise.  This  provides  us 
with  the  new  relationship  lattice  p',  which  is  used  by  the  dataflow  analysis  to  feed  into  the  next 
instruction’s  flow  function.  This  flow  function  is  monotonic,  and  the  lattice  has  a  finite  height,  so 
the  dataflow  analysis  will  reach  a  fix  point. 


5  Implementation  and  Experience 

We  implemented  the  compromise  variant  of  the  analysis  in  the  Crystal  dataflow  analysis  frame¬ 
work,  an  Eclipse  plugin  developed  at  Carnegie  Mellon  University  for  statically  analyzing  Java 
source  4.  Crystal  provides  capabilities  for  analyzing  source  in  three  address  code  form,  running 
a  branch- sensitive  analysis,  and  reading  specifications  from  annotations.  For  the  implementation 
of  this  analysis,  we  also  used  a  boolean  constant  propagation  analysis  and  a  basic  alias  analysis. 
Either  of  these  could  be  replaced  with  more  sophisticated  analyses  in  order  to  improve  the  results; 
the  relation  analysis  is  only  dependent  on  the  interfaces  to  these  analyses. 

We  specified  three  constraints,  one  from  the  ASP.NET  framework5  and  two  from  the  Eclipse 

4http : //code . google . com/p/crystalsaf 

5We  translated  the  relevant  parts  of  the  API  and  the  examples  into  Java. 
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JDT  framework.  These  were  all  constraints  which  we  had  misused  ourselves  and  were  common 
problems  that  were  posted  on  the  help  forums  and  mailing  lists.  These  constraints  exercised  several 
different  patterns,  and  the  specifications  were  able  to  capture  each  of  these  patterns. 

The  specifications  allowed  us  to  easily  describe  structured  relationships,  such  as  the  Listltems 
which  are  in  a  DropDownList  and  a  tree  of  ASTNodes  within  the  Eclipse  JDT.  In  each  of  these 
cases,  a  relationship  ties  the  “child”  and  “parent”  objects  together,  and  it  is  straightforward  to  check 
if  two  children  have  the  same  parent.  Two  of  our  constraints  had  a  structured  relationship  where 
an  operation  required  that  some  objects  exist  (or  do  not  exist)  in  a  structured  relationship. 

All  three  constraints  had  semantics  which  required  operations  to  occur  in  a  particular  order. 
To  define  this  pattern,  we  just  needed  a  relationship  which  binds  relevant  objects  together.  The 
operation  which  occurs  first  produces  an  effect  which  sets  this  relationship  to  true,  and  the  oper¬ 
ation  which  must  occur  second  simply  requires  this  relationship.  An  example  of  this  was  seen  in 
the  constraints  on  the  DropDownList  in  Listing  7.  Additionally,  relationships  also  allowed  us  to 
specify  partial  orderings  of  operations.  One  of  the  Eclipse  JDT  constraints  had  this  behavior,  and 
in  fact  required  three  methods  to  be  called  before  the  constrained  operation.  Alternatively,  the  user 
could  choose  to  call  a  fourth  method  that  would  replace  all  three  method  calls.  We  captured  this 
constraint  by  having  each  of  the  four  methods  produce  a  relationship,  and  the  constrained  opera¬ 
tion  simply  required  either  the  three  relationships  produced  from  the  group  of  three  methods,  or 
the  single  relationship  produced  from  the  fourth  one. 

Relationships  also  made  it  straightforward  to  associate  any  objects  that  were  used  in  the  same 
operation.  For  example,  this  allowed  us  to  associate  several  fields  of  an  object  so  that  we  could  later 
check  that  they  were  only  used  together.  We  did  this  by  annotating  the  constructor  of  the  object 
with  a  relationship  effect  that  tied  the  field  parameters  together.  We  could  also  associate  objects 
that  were  linked  by  some  secondary  object,  but  had  no  direct  connection,  such  as  a  DropDownList 
and  the  Listltems  received  from  calls  to  the  associated  ListltemCollection. 

After  specifying  the  constraints,  we  ran  the  compromise  analysis  on  20  examples  based  on 
real-world  code.  The  examples  we  selected  are  based  on  our  own  misuses  of  these  frameworks  and 
on  several  postings  on  internet  help  forums  and  mailing  lists.  Of  these,  the  compromise  variant 
worked  properly  on  16,  meaning  that  it  either  found  an  expected  error  or  did  not  find  an  error  on 
correct  code.  Most  of  these  examples  had  little  aliasing  and  used  exact  types,  which  reflected  what 
we  saw  on  the  help  forums. 

These  examples  identified  two  sources  of  imprecision.  The  compromise  variant  failed  on  one 
example  because  it  used  an  unconstrained  supertype,  and  it  failed  on  the  remaining  three  exam¬ 
ples  because  the  relevant  constraint  required  objects  which  were  not  in  scope.  The  unconstrained 
supertype  resulted  in  a  false  negative,  and  the  three  examples  with  objects  out  of  scope  resulted  in 
false  positives.  In  all  four  of  these  cases,  the  sound  variant  would  have  flagged  an  error,  and  the 
complete  variant  would  not  have. 

Using  an  unconstrained  supertype,  such  as  using  a  ListControl  instead  of  a  DropDownList, 
as  seen  in  Listing  8,  is  the  first  potential  source  of  imprecision  for  the  compromise  variant.  While 
a  sound  analysis  would  have  detected  the  error  in  this  example,  in  practice,  using  this  superclass  is 
not  typical.  The  plugin  has  a  DropDownList  as  a  field  if  the  control  was  initialized  statically  on  the 
web  page,  and  the  plugin  will  typically  cast  directly  to  the  expected  subtype  if  it  created  the  control 
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dynamically.  In  fact,  we  never  found  code  on  the  forum  that  used  the  superclass  ListControl. 

The  more  interesting,  and  more  typical,  source  of  imprecision  occurs  when  a  required  object 
is  not  in  scope.  For  example,  one  of  the  Eclipse  JDT  constraints  required  that  an  ASTNode  have  a 
relationship  with  an  AST  object.  The  plugin,  however,  did  not  have  any  AST  objects  in  scope  at  all, 
even  though  this  relationship  did  exist  globally.  Based  on  the  examples  we  found,  this  does  occur 
in  practice,  typically  when  the  framework  makes  multiple  callbacks  in  sequence,  such  as  with  a 
Visitor  pattern. 

Future  revisions  of  the  analysis  could  address  the  problem  of  out-of-scope  objects  with  two 
changes.  First,  it  should  be  possible  for  the  framework  to  declare  what  relationships  exist  at  the 
point  where  the  callback  occurs.  This  would  have  provided  the  correct  relationships  in  the  previous 
example,  and  it  should  be  relatively  straightforward  to  annotate  the  interface  of  the  plugin  with  this 
information.  Second,  an  inter-procedural  analysis  on  only  the  plugin  code  could  handle  the  case 
where  the  relationship  goes  out  of  scope  for  similar  reasons,  such  as  calls  to  a  helper  function. 
These  changes  would  increase  the  precision  of  all  three  variants  of  the  analysis. 

The  two  sources  of  imprecision  affect  all  three  variants,  though  in  different  ways.  While  im¬ 
precision  anywhere  in  the  constraint  can  produce  a  false  positive  in  the  sound  variant  or  a  false 
negative  in  the  complete  variant,  the  location  of  the  imprecision  in  the  constraint  directly  changes 
how  the  compromise  variant  handles  it.  When  the  imprecision  occurs  in  the  trigger  predicate,  the 
compromise  variant  results  in  a  false  negative.  When  the  trigger  predicate  is  precise  but  the  re¬ 
quires  predicate  is  imprecise,  the  compromise  variant  results  in  a  false  positive.  This  reflects  what 
we  expect  from  the  analysis;  we  only  wish  to  see  an  error  if  there  is  reason  to  believe  that  the  con¬ 
straint  applies  to  our  plugin.  If  the  trigger  predicate  is  unknown,  it  is  less  likely  that  the  constraint 
is  relevant. 


6  Related  Work 

SCF  [9]  allows  framework  developers  to  create  a  specification  for  the  structural  constraints  for 
using  the  framework.  The  specifications  we  propose  focus  on  semantic  constraints  rather  than 
structural  constraints.  Some  of  the  key  ideas  from  SCF  could  be  used  to  drive  the  more  structurally 
focused  parts  of  the  specifications,  and  we  view  the  two  as  complimentary. 

Scoped  Methods  [16]  are  a  language  construct  for  enforcing  protocols  which  are  local  to  a 
method,  such  as  a  framework  callback.  Fike  SCF,  scoped  methods  are  structural  and  do  not  take 
semantic  context  of  objects  into  account. 

Typestates  [6]  provide  a  mechanism  for  specifying  a  protocol  on  a  single  object  by  using  a  state 
machine.  There  have  been  several  approaches  to  inter-object  typestate.  Fam  et  al.  manipulated 
the  typestate  of  many  objects  together  through  their  participation  in  data  structures  [12].  Nanda 
et  al.  take  this  a  step  further  by  allowing  external  objects  to  affect  a  particular  object’s  state, 
but  unlike  relationships,  it  requires  that  the  objects  reference  each  other  through  a  pre-defined 
path  [14].  Bierhoff  and  Aldrich  add  permissions  to  typestates  and  allows  objects  to  capture  the 
permission  of  another  object,  thus  binding  the  objects  as  needed  for  the  protocol  [2].  Relationships 
can  combine  multiple  objects  into  a  single  state-like  construct  and  is  more  general  for  this  purpose 
than  typestate;  it  can  describe  all  of  the  examples  used  in  multiple  object  typestate  work. 
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With  respect  to  the  specifications,  relationships  are  more  incremental  than  typestate  because  the 
entire  protocol  does  not  need  to  be  specified  in  order  to  specify  a  single  constraint.  Additionally, 
the  plugin  developer  does  not  add  any  specifications,  which  she  must  do  with  some  of  the  typestate 
approaches.  However,  typestate  analyses  aim  to  be  sound,  and  can  also  check  that  both  the  plugin 
and  the  framework  meet  the  specification.  The  relationship  analysis  assumes  that  the  framework 
properly  meets  the  specification  and  only  analyzes  the  plugin. 

Tracematches  have  also  been  used  to  enforce  protocols  [17].  Unlike  typestate,  which  specifies 
the  correct  protocol,  tracematches  specify  a  temporal  sequence  of  events  which  lead  to  an  error 
state.  This  is  done  by  defining  a  state  machine  for  the  protocol  and  then  specifying  the  bad  paths. 

The  tracematch  specification  approach  is  similar  to  that  of  relationships;  the  main  difference 
is  in  how  the  techniques  specify  the  path  leading  up  to  the  error  state.  Tracematches  must  specify 
the  entire  good  path  leading  up  to  the  error  state,  which  leads  to  many  specifications  to  define  a 
single  bad  error  state.  In  cases  where  multiple  execution  traces  lead  to  the  same  error,  such  as  the 
many  ways  to  find  an  item  in  a  DropDownList  and  select  it  incorrectly,  a  tracematch  would  have  to 
specify  each  possibility.  Instead  of  specifying  the  good  path  leading  up  to  the  error,  relationships 
specify  the  context  predicate,  which  is  the  same  for  all  good  paths.  This  difference  affects  how 
robust  a  specification  is  in  the  face  of  API  changes.  If  the  framework  developer  adds  a  new  way 
to  access  Listltems  in  a  ListControl,  the  existing  tracematches  will  not  cover  that  good  path. 
However,  all  the  constraint  specifications  in  the  proposed  technique  will  continue  to  work  if  the 
new  method  is  annotated  with  the  appropriate  relationship  effects. 

Unlike  relationships,  tracematches  are  enforced  both  dynamically  and  statically  using  a  global 
analysis  [4].  The  static  analysis  soundly  determines  possible  violations,  and  it  instruments  the  code 
to  check  them  dynamically.  Bodden  et  al.  provide  a  static  analysis  which  optimizes  the  dynamic 
analysis  by  verifying  more  errors  statically  [5],  and  Naeem  and  Lhotak  specifically  optimize  with 
regard  to  tracematches  that  involve  multiple  objects  [13]  . 

Bierman  and  Wren  formalized  UML  relationships  as  a  first-class  language  construct  [3].  The 
language  extension  they  created  gives  relationships  attributes  and  inheritance,  and  plugin  devel¬ 
opers  use  the  relationships  by  explicitly  adding  and  removing  them.  In  contrast,  the  relationships 
presented  in  this  paper  are  added  and  removed  implicitly  through  use  of  framework  operations, 
and  if  inferred  relationships  are  used,  they  may  be  entirely  hidden  from  the  developer.  While  Bier¬ 
man  and  Wren  did  not  explore  constraints  on  relationships,  Balzer  et  al.  discuss  how  to  describe 
relationship  invariants  using  discrete  mathematics  [1].  These  invariants  are  on  the  relationships 
themselves  and,  unlike  the  proposed  work,  they  do  not  constrain  the  framework  operations. 

Like  the  proposed  framework  language,  Contracts  [8]  also  view  relationships  between  objects 
as  a  key  factor  in  specifying  systems.  A  contract  also  declares  the  objects  involved  in  the  contract, 
an  invariant,  and  a  lifetime  where  the  invariant  is  guaranteed  to  hold.  Contracts  allow  all  the 
power  of  first-order  predicate  logic  and  can  express  very  complex  invariants.  Contracts  differ 
from  the  proposed  specifications  because  they  do  not  check  the  conformance  of  plugins  and  the 
specifications  are  more  complex  to  write. 

Our  analysis  itself  is  similar  to  a  shape  analysis,  with  the  closest  being  TVLA  [15].  TVLA 
allows  developers  to  extend  shape  analysis  using  custom  predicates  that  relate  different  objects. 
Our  constraint  specifications  could  be  written  as  custom  TVLA  predicates,  but  the  lower  level  of 
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abstraction  would  result  in  a  more  complex  specification  and  would  require  greater  expertise  from 
the  specifier. 


7  Conclusion 

Relationships  capture  the  interaction  between  a  plugin  and  framework  by  describing  how  abstract 
object  associations  change  as  the  plugin  makes  calls  to  the  framework.  We  can  then  use  these 
relationships  to  describe  non-local  constraints  on  the  framework  operations.  We  have  shown  that 
relationship-based  constraints  can  describe  many  constraint  paradigms  found  in  real  frameworks, 
capturing  relationship  structure,  operation  order,  and  object  associations  that  may  or  may  not  derive 
from  direct  references  As  the  specifications  are  written  entirely  by  framework  developers,  plugin 
developers  only  need  to  run  the  analysis  on  their  code,  so  that  investments  by  a  few  framework 
developers  pay  dividends  to  many  plugin  developers 

A  modular,  intra-procedural  static  analysis  can  check  that  the  plugin  code  meets  framework 
constraints.  This  analysis  is  particularly  interesting  because  it  is  adjustable.  While  many  analyses 
strive  to  only  be  either  sound  or  complete,  the  relation  analysis  can  be  run  either  soundly,  com¬ 
pletely,  or  as  a  compromise  of  the  two,  thereby  allowing  the  plugin  developer  to  choose  the  variant 
that  provides  the  most  useful  results. 
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A  Operations 


A.l  Equivalence  Join  on  p 


dom(pi)  =  dom(pr) 


dom(p)  VRuEep.E 
Pi  W  Pr  =  P 


pi(R)  id  pr(R) 


(EQTOIN-p) 


A.2  Overriding  Meet  on  p 


dom(p)  =  dom(pA) 


dom(p,)  VRhE'gp'.E' 
pRpa  =  p' 


p(R)HpA(R)) 


(OVRMEETS-p) 


A.3 


Polarity  operator  on  p 


dom(p) 


dom(p')  VRHEep'.E=Ip(R) 
I  P  =  P' 


(I-P) 


A.4  Join  on  p 


dom(pi)  =  dom(pr) 


dom(p)  VR  h  E  e  p  .  E 
pi  U  pr  =  p 


pi (R)  U  Pr  ( R) 

- (u-p) 


A.5  At  least  as  precise  on  p 

Ec  —  ^a  Pc  !=  Pa 

pc,R  Ec  Cpa,RnEa 


0  O  Pa 

- ( C — PARTI  AL— UNKNOWN ) 

0  E  pa,R  h)  unknown 


0  O  pa 

0CpQ,Rn  bot 


(C —PARTIAL— BOT ) 


0  C  0 


(C-0) 


A.6  Transfer  into  new  aliasing  environment,  transfer 


p'  =  {R  i— >  E  |  R  €  dom(_Lyi)  A  Re  dom(p)  =#■  E  =  p(R)  A  R  ^  dom(p) 

p'  =  transfer(p,  A) 


E  =  unknown! 
- (TRANSFER) 


A.7  Substitution  on  P 

P[a]  =  M.  Do  the  obvious  thing. 


(Pi  A  P2)[<j] 
(Pi  VP2)[a] 
(Pi  =#  P2)W 
true  [cr] 
false[cr] 
(— S)[ct-J 

( A/ytest )  (o' | 

rel(y)[<j] 

(y,y)W 


Pi  [cr]  A  P2[cr] 

Pi  [cr]  V  P 2  [cr] 

Pi  [cr]  =4  P2  [cr] 
true 
false 
[cr] 

A  [cr] /  a(y  test) 
rel  (y  [cr] ) 
cr(y),  y[cr] 
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A.8  Lattice  transformation  of  N 


Notice  that  a  list  will  become  a  pair  of  sets,  in  particular,  a  p.  The  sets  could  be  conflicting,  meaning  that  in 
this  list,  the  transformation  causes  conflicts.  We  arc  using  tl  to  move  conflicts  into  unknown.  Alternately, 
we  could  either  report  this  as  an  error  or  override  or  join.  It  is  not  clear  what  is  best  though. 


Pi  =  lattice  (N;  .A;  B)  p2  =  tattice(N;.A;B) 

lattice(N,  N;.A;B)  =  pi  U  P2 


(LIST) 


-  (LATTICE— ^R) 


lattice(R,  A)  =  _L^i  [R  >— >  true] 
B(£test)  =  True 


(LATTICE— R) 


lattice(-^R,yi)  =  J-a  [R  i— >  false]  lattice (R/Aest ,  A,  23)  =  J-a  [R  m >  true] 

B(ftest)  =  False 


( LATH  CE-  R-TEST-T) 


lattice(R/£test,  A,  B)  =  _L/i[R  h >  false] 
B(£test)  =  Unknown 


lattice(R/£test ,  A,  B)  =  T/JR  i— >  unknown] 
B(£test)  =  True 


(LATTICE-R-TEST-F) 


( L  ATTI  CE-  R-TEST-U) 


lattice(-’R/£test ,  A, B)  =  _L./i[R  >  false] 

B(£test)  =  False 

lattice(-^R/£test ,  A,  B)  =  T^[R  m >  true] 
B(£test)  =  Unknown 

lattice(-'R/£test, A,  B)  =  _L/i[R  i— >  unknown] 


( LATH  CE  -  R-TEST-T) 


(LATTICE— ^R— TEST— F) 


( LATH  CE— -  R-TEST-U) 


B  Truth 


t  t 


N-=) 


- (^-UNKNOWN) 

t  =5!  Unknown 


B.l  Free  variables 

Find  the  free  variables  and  the  types  of  a  specification  or  a  part  of  a  specification. 


FV(cons) 

=  FV(op)  U  FV(Pctx)  U  FV(P 

FV(P,  AP2) 

=  FV(P1)UFV(P2) 

FV(P,  VP2) 

=  FV(P!)UFV(P2) 

FV(P,  =4  P2) 

=  FV(Pi )  U  FV(P2) 

FV(true) 

=  0 

FV(false) 

=  0 

FV(Q) 

=  Ufv(Q) 

FVhS) 

=  FV(S) 

FV(A/ytest) 

=  FV(A), ytest  :  boolean 

FV  ( rel  (y ) ) 

=  y  :  (R(rel) 

FV(TtHiS.m(y  :  t)  :  Tret) 

=  this  :  Tthts,  ret  :  Tret,y  :  t 

FV(  new  t(y  :  t)) 

=  this  :  t,  y  :  t 
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ry  u  0  =  ry 


y  &  dom(Fy)  ryl  U  Fyr  =  Fy 
ry  U  y  :  T,  rr  =  y  :  t,  Ty 


(U— NOTIN} 


t1  c  Tr  ryl  u  r;  =  ry 

y  :  t1  ,  Tyl  U  y  :  Tr ,  Fy  =  y  :  f  ,  Fy 


(U-LEFTSUB) 


Tr  c  t1  ryl  u  r;  =  ry 

- T-r- - ^ - —  (U-RIGHT-SUB) 

y  :  t  ,  Ty  U  y  :  t  ,  Ty  =  y  :  t  ,  Fy 


-(MINUS-0) 


y  0  dom(ryl)  rylur;  =  ry 
rl  u  y :  t,  ry  =  ry 


(MINUS-NOUN) 


ryl  u  r;  =  ry 

y  :  t1  ,  Fy  Uy  :Tr,Fy  =  Ty 


(MINUS-IN) 


dom(ry)  C  dom(Fy)  Vy  :  t  £  Ty  .  Fy  <:  t 


r  c  r' 

1  y  U  1  y 


(c-rY) 


C  Aliasing  Operations  and  Theorems 


C.l  At  least  as  precise, 

dom(£/)  =  dotn(£i)  dom(r/)  =  dom(Ff)  Mi'-,  t'  £  F/.  r'  <:  Ff  (£')  V  x'  i— >  V  €  £/.  V  C  £(x')  A  V  f  0 

<  r/;£'  >Cyl<  Ft;£  > 


n(Eyi) 


C.2  Abstraction  function 

Theorem  C.l  (Abstraction  of  Alias  Lattice  from  the  heap).  Let  x  c— >  f  :  t  be  a  source  variable  x  which 
points  to  a  runtime  location  i  of  type  T.  Let  h  be  a  heap,  represented  as  a  list  of  source  variables  which 
point  to  locations  of  a  particular  type.  Also  let  H  be  all  the  possible  heaps  at  a  particular  program  counter. 
An  alias  lattice  <  >  abstracts  H  at  a  program  counter  if  and  only  if 

V  h.  €  H  .  dom(h.)  =  dom(L)  A 

V  (xi  U  :  Ti )  £  h. .  V  (x2  h  :  T2)  £  h  . 

Xi  A  x2  A  L  =  I2  =¥ 

V  £  £(xi)  A  I'e  £(x2)  A  ti  <:  rt(C)  A 
xi  f  x2  A  L  f  I2  =¥ 

l\  €  £(xi)  A  i'x  £  £(x2)  A  l\  f  i'2  A  t,  <:  Tt(l\)  A  t2  <:  (t2 ) 


C.3  At  least  as  precise, 


dom(Bc)  =  dom(®a)  V  i  :  t  £  £c.  t  =<:  £a(£) 
Bc  Ejj  BQ 


O(Eyt) 
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D  Consistency 

Theorem  D.l.  Consistency 

forall  deriv. 

A  h  p  consistent 
p  final 

mathitfaUdsfyi,  iristr)  =  A' 
/e^A;®(p,tnstr)  =  p' 
exists  deriv. 

A'  I-  p'  consistent 
p '  final 

Proof: 


Vconsi  G  C  .  A'\  23;  p;  const  h  instr  c— t  pA 

By  inversion  on/e^^p,  instr)  =  p’ 

pA  =  U{pf} 

By  inversion  on/e^.^fp,  instr)  =  p’ 

p'  =  transfer)  p,  .A')  FI  pA 

By  inversion  on/g^^p,  instr)  =  p’ 

V  const  G  C  .  A’\\~  pA  consistent 

By  lemma  consistency  of  single  constraint 

A’  h  UpA  consistent 

By  lemma  LI  preserves  consistency 

A’  h  transfer(p,A/)  consistent 

By  lemma  transfer  implies  consistency 

A’  h  p ’  consistent 

By  lemma  F  preserves  consistency 

p'  final 

By  lemma  F  makes  final 

□ 
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Theorem  D.2.  Consistency  of  a  Single  Constraint 


forall  deriv. 

A  b  p  consistent 
mathitfQuas(bl,  instr)  =  A' 

A'\  23;  p;  cons  b  instr  t  pA 

exists  deriv. 

A'  b  pA  consistent 

Proof: 

By  case  analysis  on  A;  p;  cons  b  instr  c->  pA 

cons  =  op  :  Pctx  =b  Pre q  4  Q  -A';  FV(cons)  b  instr  :  op  Pb  (I1,  Iu) 

I1  7^  0  V  /  0  J|t  =  {pA  |  cr  G  I*  A  A'\  23;  p;  cr  bpart  cons  <->  pA} 

1PU  =  (X  PA  I  C  A  A'\  23;  p;  a  bpart  cons  pA} 

|0,t|  =  l^l  |TU|  =  |IU|  ?A  =  0*  U  1PU 

Case:  - - - x - (match) 

A  \  23;  p;  cons  b  instr  w  (  tJ  tPA) 


V  i . 


dom(FV(op))  =  dom(ffi) 
rng(CTt)  C  dom(F£) 

V  y  :  t  G  FV(op)  .  Fr(oi(y))  <:  t 
A  b^  pA  consistent 


VpA  G  1PA  .  A  b  pA  consistent 
A  b  bl  )PA  consistent 


By  lemma  Instruction  Binding  Consistent 
By  lemma  Instruction  Binding  Consistent 
By  lemma  Instruction  Binding  Consistent 
By  lemma  partial  binding  consistent 


By  quantification  above 
By  lemma  bl  preserves  consistency 


cons  =  op  :  Pctx  =b  Preq  4  R  A  1/  instr  :  op  Pb  I 

Case :  - (not- match) 

A\  p;  cons  b  instr  >  _L 

A]  A  b  consistent  By  definition  of  _Ly^ 

□ 
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Theorem  D.3.  Consistency  of  Partial  Binding 

forall  derlv. 

cons  =  op  :  Pctx  =>  Preq  4  Q 
A\  B;  p;  a  Fpart  cons  w  pA 

exists  derlv. 

A  F  pA  consistent 


Proof: 


By  case  analysis  on  A\  B;  p;  a  Fpart  cons  c— >  pA 


Case: 


cons  =  op  :  Pctx  =>  Preq  4  Q 

Py  =  FV(op)  U  FV(Pctx)  U  FV(Q)  allValidSubsU;  crop;  Py)  =  (l\lu) 

V  Iu/0  1PL  =  {pA  cr  £  I1  A  A\  B;  p;  cr  Ffun  cons  ‘-t  pA} 

CP^  =  {T  pA  |  cr  e  21^  /\  A\  B;  p;  cr  hfun  cons  ■— *  pA}  7A  =  IP*  U  1PU 

- . - (BOUND) 

A] B; p; aop  hpart  cons  m(WPa) 


V  o'  £  Z* .  A  F  a  validFor  Fy 

V  cr  £  Zu  .  A  F  cr  validFor  Ty 
VpAeO)t. 


By  Lemma  validSubs  sound  and  complete 
By  Lemma  validSubs  sound  and  complete 


A]  B;  p;  a  Ffu||  cons  pA  where  cr  £  Z* 
A  F  a  validFor  Fy 
A  F  cr  validFor  FV(Q) 

A  F  pA  consistent 


By  construction  of  IP1 
By  cr  £  Z* 
By  FV(Q)cry 
By  Lemma  Full  Binding  Consistent 


V  pA  £  IP1  .  A  F  pA  consistent  By  quantification 

VpAer. 


pA  =|  pA'  where  A\  B;  p;  o  Ffun  cons  pA' 
A  F  a  validFor  Fy 
A  F  a  validFor  FV(Q) 

A  P  pA  consistent 
A  F  pA  consistent 


A  a  £  Zu  By  construction  of  1PU 

By  a  £  Iu 
By  FV(Q)  C  ry 
By  Lemma  Full  Binding  Consistent 
By  Lemma  \  consistent 


V  pA  £  yu  .  A  F  pA  consistent 

V  pA  £  1PA  .  A  F  pA  consistent 
A  F  (  FJ  yA)  consistent 
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By  quantification 
By  u 

By  Lemma  FJ  consistent 


Case: 


rY 


Cons  =  Opj  Pctx  =>  P req  4  Q 
FV(op)  U  FV(Pctx)  U  FV(Q)  allValidSubs(.A;  CT0p;  Py) 

A;  ¥>;  p;  ctop  hpart  cons  w  _L^ 


(0,0) 


A  h  _L ji  consistent 


(CANT-BIND) 

By  definition  of  _L 

□ 
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Theorem  D.4.  Consistency  of  Full  Binding 

forall  derlv. 


cons  =  op  :  Pctx  =>  Preq  4  Q 
Ah  a  valid  For  FV(Q) 

Al;  23 ;  p;  a  Pfun  cons  c— >  pA 

exists  derlv. 

A  F  pA  consistent 

Proof: 

By  case  analysis  on  all  valiants  of  Al;  23;  p;  o'  Ffun  cons  pA 

cons  =  op  :  Pctx  =>  Preq  4  Q  P  h-  PctxM  True 

(I1,  Iu)  =  allValidSubs(Al;  o;FV(cons)) 

3  c'  G  I1 .  !B;  p  h  Preq  [a']  True 

Case:  - _ - (full-t-compromise) 

Al;  23;  p;  cr  hfu||  cons  lattlce(Q[a]) 

Al  h  lattlce(Q[cr])  consistent  By  Lemma  Lattice  with  substitution  is  consistent 


cons  =  op  :  Pctx  =>  Preq  4  Q  “B;  P  h“  PctxM  False 
Al;  B;  p;  a  hfuN  cons  ±A 


(FULL-F-COMPROMISE) 


Al  h  _L A  consistent 


By  definition  of  _L A 


cons  =  op  :  Pctx  =>  Preq  XL  Q 
23;  p  F  Pctx[cr]  Unknown  pA  =  latttce(Q[a]) 

- . - (FULL-U-COMPROMISE) 

Al;  B;  p;  a  hfuM  cons  ^->X  P 


Al  h  pA  consistent  By  Lemma  Lattice  with  substitution  is  consistent 

Al  l~X  PA  consistent  By  Lemma  X  preserves  consistency 


cons  =  op  :  Pctx  =>  Preq  -JX  Q  “23;  p  F-  Pctx[a]  True 
(H1,  Iu)  =  allValidSubs(Al;  cr;FV(cons)) 

33  a'  E  Ll  .  23;  p  F  Preq[o'/]  True 
Al;  23;  p;  a  Ffun  cons  c->  lattice (Q [a]) 


(FULL— T— SOUND) 


Al  h  lattlce(Q[a])  consistent 


By  Lemma  Lattice  with  substitution  is  consistent 
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cons  =  op  :  Pctx  =>  Preq  4  Q  2B;  P  F  PctxW  False 

- (EULL-E-SOUND) 

A\  ®;  p;  cr  hfuN  cons  w  _Lyi 


FI  h  _Lyi  consistent 


By  definition  of 


cons  =  op  :  Pctx  =¥  Preq  4£  Q  "B;  P  F-  Pctx[a]  Unknown 
(I1,  Iu)  =  allValidSubs(Fl;  a;FV(cons)) 

3  a'  e  I* .  p23;F  PreqlV]  True  pA  =  lattice  (Q  [a]) 
Fl;‘B;p;aFfuM  cons  ■->£  pA 


(FULL— U— SOUND) 


FI  F  pA  consistent  By  Lemma  Lattice  with  substitution  is  consistent 

A  F£  pA  consistent  By  Lemma  £  preserves  consistency 


cons  =  op  :  Pctx  =F  Preq  £1  Q  B;  p  I-  Pctx[cr]  True 
(L1,  Zu)  =  allValidSubs(Fl;  cr;  FV(cons)) 

3  a'  G  1}  U  Lu  .  23;  p  F  Preq[cT/]  True  V  p  F  Preqto7]  Unknown 

- =- - (FULL-T-COMPLETE) 

FI;  23;  p;  a  Ffun  cons  w  lattice (Q[cr]) 


FI  F  lattice(Q[a])  consistent 


By  Lemma  Lattice  with  substitution  is  consistent 


cons  =  op  :  Pctx  =>  Preq  4£  Q  B;  p  F-  Pctx[cr]  False 
FI;  ®;  p;  cr  FfuN  cons  w  ±A 


(EULL-E-COMPLETE) 


FI  F  3 _A  consistent 


By  definition  of 


cons  =  op  :  PctX  =F  Preq  £1  Q 
23;  p  F  Pctx[cr]  Unknown  pA  =  lattice(Q[cr]) 

- -r - (EULL-U-COMPLETE) 

FI;  B;  p;  cr  Ffun  cons  <->£  pA 

FI  F  pA  consistent  By  Lemma  Lattice  with  substitution  is  consistent 

FI  F£  pA  consistent  By  Lemma  £  preserves  consistency 

□ 


E  Completeness 

Theorem  E.l.  Completeness  of  Relations  Analysis 
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forall  der. 


/alias  (.Aabs,instr)  =Aabs' 
faiias(Aconc,instr)=Aconc' 

pabs  final 

pconc  final 
<g cone  q  (gabs 

Aconc  Oa  Aabs 
J\ abs  h  pabs  consistent 

yfeorte  |_  pConc  consjstent 
pConc  |—  pabs 

fe;Aconc;'E>conc  ( Pconc,  instr)  =  pconc' 
exists  der. 

/e-^«;®«».(pabs,mstr)  =  pabs' 

pCOTtc'  |—  pQbs' 

Proof:  [Completeness  of  Relation  Analysis] 


pc°nc'  =  transfer(pconc,  Aconc")  FI  pConcA  By  inversion  on/g-yiconc.-Bconc  (pconc,  instr)  =  pc°nc' 

V  const  €  G  .  Aconc\1 3c°nCpConc.  conSi  |_  tnstr  ^4  pConcA 

By  inversion  on/g-yiconc.-Bconc  (pconc^  tristr)  =  pconc 
pConcA  _  y  |pConcA|  By  inversion  on/g^conc^conc  (pc°nc)  instr)  =  pconc' 


V  const  G  G  . 

nconcA  i—  nabsA 

■A abs ' .  pabs.cons  |_  tnstr  pt!bsA 

pConcA  <-]  pabsA 

yiabs'  |_  pabsA  consjstent 

3  R  .  V  i  .  dom(p?bsA)  =  R 
Let  pabsA  =  U  {pfbsA} 

pConcA  <3  pabsA 
pConcA  |—  pabsA 

yiabs'  |_  pabsA  consistent 

Let  pabs"  =  transfer)  pabs,  A. abs/) 

Aahs'  |_  pabs"  consjstent 

dom(pabs”)  =  dom(pabsA) 

Let  pQbs'  =  pabs"  F  pabsA 

pconc'  q  pabs' 

/e-ytabs.-Babs  (pabs,  instr)  =  pabs/ 


By  Lemma  Soundness  of  Single  Constraint 
By  Lemma  Soundness  of  Single  Constraint 
By  Lemma  Soundness  of  Single  Constraint 
By  Lemma  Consistency  of  Single  Constraint 
By  Lemma  consistency  means  same  domain 
By  join  rule  applied  many  times 
By  Lemma  U  preserves  < 
By  Lemma  U  preserves  C 
By  Lemma  same  domains  mean  consistency 

By  Lemma  transfer  implies  consistency 
By  Lemma  consistency  means  same  domain 

By  rule  overmeets 
By  Lemma  F  preserves  C 
By  rule  flow  —  cons 


□ 
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Theorem  E.2.  Completeness  of  Single  Constraint 


forall  deriv. 

yiconc  nA  Aabs 

<gconc  ^  .gabs 
pConc  [—  pdbs 

yiQbs  h  pabs  consistent 
Aconc  h  pconc  consistent 
pconc  final 

^conc.  pconc.  cons  h  instr  ^  pconcA 

exists  deriv. 

yiQbs;  pabs;  cons  h  instr  pabsA 

pConcA  |—  pQbsA 
pConcA  ^  pabsA 


Proof: 

By  case  analysis  on  AcorLC\  pconc;  cons  h  instr  pconcA 


Case: 


cons  =  op  :  Pctx  =>  Preq  4  Q  blconc;  FV(cons)  h  instr  :  op  l=> 
/  0  V  1^  /  0  =  {pA  |  a  e  Ib  A  yiconc;  ®conc;  pconc;  a  hpart 

pA  |  a  e  Z%  A  Aconc;  ®conc;  pconc;  a  bpart  cons  w  p 

_ Igl  =  |Icl  lycl  =  lie  I  =  yc  U 

^conc.gcouc.  pconc.  cons  h  instr  ^  (  |=J  )PA) 


(^C>  2-c) 

cons  w 

A) 


PA) 


( MATCH) 


Let  PA  =<->  (  id  ?A) 

,Aconc; py(cons]  \-  mstr  :  op  (I*, Z^) 

Ll  C  I1  U  Lu 
Lu  C  Iu 

^“C  —  a 

l}c  D  I* 

l|^0VI^0 

Let  3*  =  {pA  |  a  e  L*  A  Aabs;Babs;  pabs;  a  h 
Let  =  (X  pA  |  cr  e  A  Aabs;  S' abs;  pabs;  a 
V  ptA  €  3*  . 


By  Lemma  Instruction  Binding  Complete 
By  Lemma  Instruction  Binding  Complete 
By  Lemma  Instruction  Binding  Complete 
By  Lemma  Instruction  Binding  Complete 
By  /  0  V  LJi  /  0  and  inversion  on  C 
cons  ‘-i  pA} 
full  cons  w  pA} 


3  distinct  o*  e  Ib  -  Aconc;%conc;  pconc;  a  bfuN  cons  w  p^A 

By  construction  of  and  |IP|  =  jiPP| 
(t*  6  Ijj  V  cr1  £  By  ZP  C  I*  U  By  case  analysis  on  the  location  of  cr11 

Case:  cr11  e 
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yj^abs.  <gabs.  pabs.  ff  pfu||  cons  w  ptA 

By  Lemma  Partial  Binding  complete 

PcA  E  PaA 

By  Lemma  Partial  Binding  Sound 

3s 

Q. 

VI 

a. 

By  Lemma  Partial  Binding  Sound 

p*A  distinct  G 

By  construction  of  Pb 

Case:  cr11  G 

J\ abs.  <3 abs.  pabs.  hfu||  cons  w  puA 

By  Lemma  Partial  Binding  complete 

PcA  E  PaA 

By  Lemma  Partial  Binding  Sound 

P^<P^ 

By  Lemma  Partial  Binding  Sound 

PtA  El  P^ 

By  Lemma  J  on  abs  preserves  C 

PtA<  I  P^ 

By  Lemma  T  on  abs  preserves  < 

PaA  distinct  G  P^ 

By  construction  of  P^ 

Vp-AG^. 

3  distinct  auGl“.  Plconc;  ®conc;  pconc;  a  bpart 

cons  ■— >  p^A' 

P^  =1  P^' 

By  construction  of  P£  and  IJf  =  P^i 
By  construction  of  P^ 

ffuGl^ 

By  I-  C  I- 

A QbS;  (B abS;  pabs;  cr  bpart  COnS  W  p^ 

By  Lemma  Partial  Binding  complete 

P^'  E  P^' 

By  Lemma  Paitial  Binding  Sound 

P^'  <  P^' 

By  Lemma  Paitial  Binding  Sound 

P^  El  P^ 

By  Lemma  T  preserves  C 

P^<  I  P^ 

By  Lemma  J  preserves  < 

p^4  distinct  G  P q 

By  construction  of  P^ 

V  p^A  G  fj.3  distinct  pA  G  Pa  •  PpA  E  pA 

By  quantification  above 

V  pbA  G  PP  .  3  distinct  pA  G  Pa  .  pbA  <  pA 

By  quantification  above 

V  pJ3 A  G  PJf  .  3  distinct  pA  G  Pa  •  pP  A  E  pA 

By  quantification  above 

V  pPA  G  PJf  .  3  distinct  pA  G  Pa  •  pPA  <  pA 

By  quantification  above 

V  p*A  G  P*  .  3labs  b  PqA  consistent 

By  quantification  above 

V  PqA  G  Tq  .  yiabs  1“  PaA  consistent 

By  quantification  above 

Let  PQ  =  ?a  U  P£ 

3R  .  V  pa  G  Pa  •  dom(pa)  =  R 

By  inversion  on  consistency  of  each  pQ 

Let  pA  =  (  bl  PQ) 

yiabs;  pabs;  cons  b  Instr  pabsA 

By  rule  match 

V  pA  G  Pc  .  3  distinct  pA  G  PQ  .  pA  O  pA 

By  Pc  =  Rhob  U  Rhojf 

V  pA  G  Pc  .  3  distinct  pA  G  ya  •  PA  ^  pA 

By  Pc  =  Rhob  U  Rhojf 

PA  E  PA 

By  bJ  preserves  C  and  <  on  sets 

PA  —  Pa 

By  bJ  preserves  b  and  <  on  sets 

Case: 


cons  =  op  :  Pctx  =¥  Preq  4  Q  Aconc;FV(cons)  b  iristr  :  op  l=>  (0,  0) 

y^conc.  jconc.  pCOriC.  cons  |_  VTlStr  l^conc 


(NO-MATCH) 


39 


allValidSubs(yiabs;  crop;  Ty)  ^  (!*,!£) 
I1  C  U  Lu 

‘-c  —  *~a  ^  ^-a 
Iu  C  Iu 

^■c  —  *~a 

Z-t  2  I*a 
1^  =  0 

By  case  analysis  on  the  property  1^  =  0 


By  Lemma  Instruction  Binding  Complete 
By  Lemma  Instruction  Binding  Complete 
By  Lemma  Instruction  Binding  Complete 
By  Lemma  Instruction  Binding  Complete 

By  I*  D  I* 


Case:  1^  =  0 

,Aabs;  -gabs.  pabs;cons  |-  instr  -L^abs 

I  cone  i—  I  abs 
-'-A  —  -'-A 

I  cone  I  abs 
-'-A  —  -'-A 


By  rule  no  —  match 
By  definition  of  _Lyt 
By  definition  of 


Case:  1^/0 


Let  3*  =  {pA  |  a  G  I* 

Let  =  {I  PA' 

V  R  i— >  E  G  I^conc  .  E  =  bot 
yic°nc  (-  lyjcnc  consistent 


A  yiQbs;®abs;pQbs;ah 


part 


cons 


A  AQbs;®Qbs;  pabs;  a  Epart  cons 


V  pA  G 


PAm=0 

wPa'} 


By  I*  =  0 


By  definition  of  _Ly^ 
By  definition  of  _Ly^ 


pA  =|  pA'  where  ^ abs.  -gabs.  pabs.  a  |_part 
abs  u  ^.A 
abs  u  ^A 


cons  pA'  By  construction  of 

By  lemma  partial  binding  consistent 


E  p^  consistent 

E  pA  consistent  By  lemma  £  consistent 

dom(_Lyi  cone  )  C  dom(pA)  By  Lemma  consistency  and  En  implies  domains  subset 
VRgEg  pA.E  =  bot  V  E  =  unknown  By  £  creates  polarity 

VRgEg  _L/|conc  .  E  C  pA(R)  By  rule  C  —bot 

_Ly^conc  C  pA  By  rule  C  — p 


V  R  i — t  E  G  _Lyic  one  .  H  ^  pa(R) 

_L_/[conc  pA 


By  rule  <  —  bot  and  <  —  unknown 
By  rule  <  —  p 


J\ abs-  pabs.  corLS  1-  tnstr  c— >  pabsA 
VpAG^.  -L^conc  C  PA 
V  pA  G  fPJ^  .  _Ly|conc  <3  pA 
_Ly|conc  C  (  El 
_Lj^conc  <1  (  El  y 


By  rule  match 
By  quantification 
By  quantification 
By  lemma  E  preserves  C 
By  lemma  El  preserves  < 


□ 
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Theorem  E.3.  Completeness  of  Constraint  with  Partial  Substitution 


forall  derlv. 


Aconc  Aabs 

pConc  |—  pQt>s 

pabs  final 
pconc  final 

Aabs  h  pabs  consistent 
ACOTlC  h  pconc  consistent 

^conc.gconc.  pconc.  ^  CQns  pconcA 
rgconc  |—  <gabs 

exists  deriv. 


j^abs.  <gabs.  ^.abs. 


;  p  s;  cr  h 


part 


cons 


^absA 


pConcA  |—  pabsA 
pConcA  ^  pabsA 


Proof: 

By  case  analysis  on  .Aconc;  ®conc;  ( 


part 


cons 


,concA 


R,  = 


cons  =  Op  :  Pctx  =h  Preq  Q 


cuiti  -  up  .  i  ctx  —f  i  req  ^  V 

FV(op)  U  FV(Pctx)  U  FV(Q)  allValidSubs(yiconc; 

,  /  ru  /  mt  _  r^A  i  ^  rt  a  /i  cone,  m  cone.  ^c< 


y  ,  v '  ctxj  ^  1  v  IVJ  voiiujuu^/i  ,  '-'op*  1  y )  —  l-'-c)  ‘‘“c  J 

0  V  1“  ^  0  3*  =  rpA  j  a  G  £t  A  Aconc;  £conc;  pconc;  a  hfuN  cons  w  pA} 

yu  _  rj  pA  i  ni  a  n  cone,  mconc.  „conc.  i_  „„„  „  ,  .  „Ai 


Case: 


l^c 


L  p  I  w  /  \  U  V  ,  J-J 

cr  g  A  Aconc;  £conc;  pconc;  cr  h 

|rpt  i  i  III  icnlli  rr\A  rr\i 


Icl  =  l^cl  ^  = 


full  cons  w  pA} 


^conc.-gconc.  pconc.  ^ 


op 


hpart  COnS  ‘-t  (  bJ  PA) 


-(BOUND) 


Let  pA  =->  (  y  ?A) 
allValidSubs(yiQbs;CTop;ry)  =  (!*,!£ 
p  c  P  U  Lu 

c  —  a  ^  a 

Iu  C  Iu 
^“C  —  a 

I*  2 

l|^0VI^0 

Let  3*  =  {pA  |  cr  <=  I*  A  hlQbs;BQbs- 
Let  =  {J  pA  |  a  g  A  hlabs;  ® Qbs;  pabs;  a  hfuN  cons 
V  ptA  £  3*  . 


By  Lemma  All  Valid  Subs  sound  and  complete 
By  Lemma  All  Valid  Subs  sound  and  complete 
By  Lemma  All  Valid  Subs  sound  and  complete 
By  Lemma  All  Valid  Subs  sound  and  complete 
By  /  0  V  IJi  /  0  and  inversion  on  C 
;  pabs;  cr  I- fun  cons  w  pA} 
s;  Pabs;  o'  I  fu ii  cons  w  pA} 


3  distinct  cP  £  .  Aconc\ ;23conc;  pconc;  cr  hfun  cons  p£ABy  construction  of  P*  and  |Z*|  =  |CP* 

o'eLlVo'elZ  Byl^cituiu 

By  case  analysis  on  the  location  of  cr1 

Case:  cr11  £  I* 
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Aabs.%abs.  pobs.  ff  pfu||  cons  w  ptA 

By  Lemma  Full  complete 

PcA  E  PaA 

By  Lemma  Full  complete 

3s 

Cl 

VI 

a. 

By  Lemma  Full  complete 

pXA  distinct  G  yxa 

By  construction  of  y\ 

Case:  cr11  G  IX 

^cibs.^abs.  pabs.  hfu||  cons  w  puA 

By  Lemma  Full  complete 

PcA  E  PaA 

By  Lemma  Full  complete 

P^<P^ 

By  Lemma  Full  complete 

P*cA  El  pXa 

By  Lemma  X  on  abs  preserves  E 

PtA<  I  P^ 

By  Lemma  X  on  abs  preserves  < 

pXA  distinct  G  IPX 

By  construction  of  IPX 

V  p^A  G  ?x . 

3  distinct  auGl“.  blconc;  'BcorLC;  pconc;  a  bfuM 

cons  c— >  pJF^By  construction  of  IPX  and  IX 

PXA  =1  P^' 

By  construction  of  IPX 

uuGi: 

By  IX  C  IX 

^abs.  <gabs.  pabs;  cr  Pfun  cons  p)^' 

By  Lemma  Full  complete 

P^'  E  PaA' 

By  Lemma  Full  complete 

P^'  <  P^' 

By  Lemma  Full  complete 

PXA  EX  p^ 

By  Lemma  X  preserves  E 

p^<  I  PXA 

By  Lemma  X  preserves  < 

pX^  distinct  G  J5 q 

By  construction  of  IPX 

V  p^A  G  y^  .  3  distinct  pA  G  J*a  •  p£A  E  PA 

By  quantification  above 

V  p£A  G  Vi  .  3  distinct  pA  G  ya  •  PcA  S3  Pa 

By  quantification  above 

V  p^ A  G^.3  distinct  pA  G  ya  ■  Pc  A  E  PA 

By  quantification  above 

Vp^AG^.3  distinct  pA  G  yQ  .  p^A  <  pA 

By  quantification  above 

V  p^A  G  y\  .  4labs  I-  PqA  consistent 

By  quantification  above 

V  PaA  G  IPq  .  Aabs  1“  PaA  consistent 

By  quantification  above 

Let  2a  =  faU^ 

3R  .  V  pa  G  IP  a  •  dom(pa)  =  R 

By  inversion  on  consistency  of  each  pa 

Let  pA  =  (  EJ  3>a) 

^abs.^abs.pabs  hpart  CQns  ^  pabsA 

By  rule  bind 

V  pA  G  1PC  •  3  distinct  pA  G  IP  a  ■  PA  E  PA 

By  yc  =  Rho*  U  RFtoX 

V  pA  G  yc  .  3  distinct  pA  G  1PQ  •  pA  <!  pA 

By  yc  =  Rho*  U  RFtoX 

pA  E  PA 

By  EJ  preserves  E  and  <  on  sets 

PA  —  Pa 

By  EJ  preserves  E  and  <  on  sets 

Case: 


cons  =  op  :  Pctx  =¥  Preq  4  Q 
r  =  FV(op)  U  FV(Pctx)  U  FV(Q)  allValidSubs(blc 


O^OP)  by 


)  =  (0,0) 


mconc.  .cone. 
,  -o  ,  P 


>  O^op  bp 


(CANT-BIND) 


42 


allValidSubs(Zlabs;  crop;  Ty)  ^ 

By  Lemma  All  Subs  Sound  and  complete 

I1  C  U  Lu 

‘-c  —  *~a  ^  ^-a 

By  Lemma  All  Subs  Sound  and  complete 

Iu  C  Iu 
*~c  —  *~a 

By  Lemma  All  Subs  Sound  and  complete 

Z-t  2  I*a 

By  Lemma  All  Subs  Sound  and  complete 

*1  =  0 

By  I*  D  I* 

By  case  analysis  on  the  property  1^  =  0 

Case:  1^  =  0 

,Aabs;  -gabs.  pabs;cons  |-  instr  A^abs 

By  rule  cant  —  bind 

1  cone  i—  |  abs 
-'-A  —  -'-A 

By  definition  of  _L ^ 

1  cone  i  abs 

-'-A  —  -'-A 

By  definition  of  _L ^ 

Case:  1^/0 

Let  7\  =  {pA  |  a  e  Lla  A  Aabs;Babs;  pabs;  a  Zfun 

cons  pA}  y\  =  <Z>  By  IX  =  0 

Let  =  {X  pA'  |  a  G  1^  A  Aabs;®abs;  pabs;  a  hfuN  cons  w  pA'} 

VRhEg  I^conc  .  E  =  bot 

By  definition  of  _Ly^ 

Ac°nc  E  I^qconc  consistent 

vpagtx- 

By  definition  of  _Ly^ 

pA  =X  pA/  where  Aabs;  'Babs;  pabs;  a  Efu||  cons  »  pA/  By  construction  of 

Aabs  E  pA"  consistent 

By  lemma  full  consistent 

Aabs  E  pA  consistent 

By  lemma  X  consistent 

dom(_l_.Aconc )  C  dom(pA)  By  Lemma  consistency  and  Z^  implies  domains  subset 

V  R  i— >  E  G  pA  .  E  =  bot  V  E  =  unknown 

By  X  creates  polarity 

V  R  1 — )  E  G  -Lyjconc  .  E  □  pa(R) 

By  rule  Z  —bot 

_L j\c.onc  ^  pA 

By  rule  Z  —  p 

V  R  1 — }  E  G  -Lyjconc  .  E  pA(R) 

By  rule  <  —  bot  and  <  —  unknown 

_L yjeone  ^  pA 

By  rule  <  —  p 

Aabs.^dbs.pabs  CQns  ^  pdbsA 

By  rule  bind 

VpAG?^.  J_^conc  □  pA 

By  quantification 

V  pA  G  .  -Lyjconc  <]  pA 

By  quantification 

-Lyiconc  CZ  (  LzJ 

By  lemma  Z  preserves  Z 

-Lyle one  <3  (  LzJ  ?£) 

By  lemma  ZJ  preserves  < 

□ 
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Theorem  E.4.  Completeness  of  Constraint  with  Full  Substitution 


forall  deriv. 


Aconc  nA  Ffabs 

.gconc  |—  (gabs 
pConc  |—  pabs 

Aabs  F  pabs  consistent 
y^conc  |_  pConc  consjstent 

pabs  final 
pconc  final 

Aconc.  .gconc.  pconc.  |_fu||  cons  pconcA 

dom(ff)  =  dom(FV(cons)) 

exists  deriv. 


FiabS;  23abs;  pabs;  (j  |  fu ||  COUS 
pConcA  |—  pabsA 

pConcA  ^  pabsA 


P 


absA 


Proof: 

By  case  analysis  on  Aconc-,  'Bconc;  pconc;  cr  Ffu||  cons  — >  pconcA 


Case: 


cons  =  op  :  Pctx  =F  Preq  4  Q  ‘Bconc-  pconc  F  Pctx[cr]  False 

yj^conc.  (gconc.  pconc.  a  cons  ^  J_ylconc 


( EULL—F— COMPLETE ) 


®  abs.  pabs  |_  Pctx.[cr]  ta  By  lemma  truth  sound 

False  ta  By  lemma  truth  sound 

By  case  analysis  on  the  value  of  tQ 


Case:  ta  =  False 

y^abs.  (gabs.  pabs.  |_fu||  cons  ^  ±abs 

VRhEg  _L$°nc  .  E  =  bot 
VRi-tEe  ±^nc  .  E  C  J_4bs(R) 

I  cone  i—  |  abs 

VRhEg  _L“bs  .  E  =  bot 

VRhEG  pConcA  g  ^  pabsA(R) 

I  cone  |  abs 
-'-A  —  -‘-A 

Case:  ta  =  True 

Invalid  case  by  False  tQ 


By  rule  full  —  complete  —  False 
By  definition  of  _L 
By  rule  C  — _L 
By  rule  C 
By  definition  of  _L 
By  rule  <  —  bot 
By  rule  < 
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Case:  ta  =  Unknown 


Let  pA'  =  lattice(Q[o],./iabs,  ,Babs) 

Let  pA  =t  pA' 

^abs.^abs.  pabs.  |_fu||  cons  ^  pA 

A abs  h  p^  consistent 
yiabs  h  pA  consistent 
Aconc  h  _L^conc  consistent 
domf-Lyt  cone  )  C  dom(pA) 

VRnEe  _LLAonc  .  E  =  bot 
VRhEgp^.E  =  bot  V  E  =  unknown 

VRhEg  ±5°uc  .  E  C  pA(R) 

I  cone  (—  „absA 

-Lyt  —  P 

VRhEg  pconcA  .  E  <  pQbsA(R) 

I  cone  <-i  „absA 
J-A  p 


By  rule  full  —  complete  —  Unknown 
By  lattice  consistent 
By  1  consistent 
By  definition  of  _L ^ 
By  consistency  and  E/t  implies  domains  subset 

By  definition  of  _L 
By  £  creates  polarity 
By  rule  C  —bot 
By  rule  C 

By  rule  <  —  bot  and  <  —  unknown 

By  rule  < 


Case: 


cons  =  op  :  Pctx  =>  Preq  4  Q  lBconc-  pconc  \-  Pctx[a]  True 
(Ib,IJi)  =  allValidSubs(yiconc;  c;FV(cous)) 
]cr'Gl*U^.  £conc;  pconc  h  Preq[o']  True  V  pconc  F  Preq[o']  Unknown 
Ac°nc;®conc.  pconc.  ahfu||  C0RS  ^  lattice  (Q  [a]  ;./lconc;  ®conc) 


(FULL-T-COMPLETE) 


23 abs.  pabs  |_  pctx[a]  ta  By  lemma  truth  sound 

True  =<!  ta  By  lemma  truth  sound 

Let  pA  =  lattice!  Q  [a],  ,Aconc,'BcorLC) 

By  case  analysis  on  tQ 


Case:  ta  =  True 

(I*,I£)  =  allValidSubs(yiabs;  a; FV(cous)) 

It  c  L1  U  Iu 

Lu  C  Iu 
‘-c  —  *~a 

It  D  I1 
‘-c  —  *~a 

It  U  Iu  C  I1  U  IU 

Let  o'  where  o'  e  Ib  U  IJf  and  'Bconc;  pconc 
o' 6  It  U  I- 

23 abs.  pabs  |_  preq[a']  True  V  23abs;  pabs  h 
Let  pA  =  lattice (Q[o];yiabs;  23 abs) 

A abs;  23  abs.  pabs.  |_fu||  cons  _>  pA 

Pc  EPa 
Pc  ^  Pa 


By  lemma  valid  subs  Sound  and  Complete 
By  lemma  valid  subs  Sound  and  Complete 
By  lemma  valid  subs  Sound  and  Complete 
By  lemma  valid  subs  Sound  and  Complete 

By  subsets  above 
-  Preq[o'/]  True  V  pconc  h  Preq[o']  Unknown 
Byltul-Cltul- 
Veqto7]  Unknown  By  lemma  truth  complete 

By  rule  full  —  T  —  sound 
By  Lemma  lattice  complete 
By  Lemma  lattice  complete 


Case:  ta  =  False 

Invalid  case  by  True  ta 
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Case:  ta  =  Unknown 


Let  =  lattice(Q[a],./labs, B 
Let  p£  =1  pA' 


y^abs.  (gabs. 


pdbS;  a  |_fu||  corLS  C_> 


abs 


->A 


By  rule  full  —  complete  —  Unknown 
By  Lemma  lattice  complete 
By  Lemma  lattice  complete 
By  Lemma  T  on  abs  preserves  C 
By  Lemma  T  on  abs  preserves  < 


Case: 


cons  =  op  :  Pctx  Preq  -H  Q 
®conc; pconc  L  Pctx[cr]  Unknown  p^  =  lattice  (Q[cr]) 

^conc.  (gconc.  pconc.  ~  hfu||  cons  ^  pA 


( FULL-U-CO  MPLETE ) 


H  abs.  pabs  |_  ta 

Unknown  ===!  ta 

®abs.pabs  h  pctx[CT]  Unknown 
Let  p£  =  lattlce(Q[CT],yiQbs,'BQbs) 

Pc  E  Pa 

Pc  <  Pa 

I  P^  El  P^ 

I  P?<  I  P^ 


By  lemma  truth  sound 
By  lemma  truth  sound 
By  inversion  on  Unknown  =<!  ta 

By  Lemma  lattice  complete 
By  Lemma  lattice  complete 
By  Lemma  T  preserves  C 
By  Lemma  J  preserves  < 


□ 
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Theorem  E.5.  Truth  Checking  Complete 


forall  derlv. 

pConc  |—  pCibs 
rgconc  |—  .gabs 

pabs  final 
pconc  final 

®conc.  pConc  hp[a]tc 

exists  derlv. 

sabs;pabsh  p[(J.]tQ 

L  S'  La 


Proof: 

By  induction  on  pconc  |-  P[<j]  ta 


Case: 


pconc(rel(£)[cr])  =  true 
sconc.  pconc  p  re|(y)[a]  True 


(REL-TRUE) 


Let  R  =  rel(f)[a] 

R  E  dom(pabs) 

Let  Ea  =  pQbs(R) 

By  case  analysis  on  the  value  of  Ea 


Case:  Ea  =  true 

Bc°nc;  pCOTLC  (_  R  True 
True  si  True 


Case:  Ea  =  false 

Contradiction  with  pconc  C  pabs 


Case:  Ea  =  unknown 

B cone;  pconc  p  R  |Jnknown 
True  si  Unknown 


Case:  Ea  =  hot 

Contradiction  with  pabs  final 


Case: 


pc°n-c(re|(t)[a])  =  false 

scone,  pconc  p  re|(y)[cr]  False  ,REL~FALSE) 


By  inversion  on  pconc  C  pabs 


By  rule  rel  —  True 
By  rule  =$  —  = 


By  rule  rel  —  Unknown 
By  rule  si  —Unknown 
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By  inversion  on  pconc  C  p 


Case: 


Let  R  =  rel  (€)  [cr] 

R  E  dom(pabs) 

Let  Ea  =  pQbs(R) 

By  case  analysis  on  Ea 

Case:  La  =  false 

■Scone.  pCortc  (_  R  True 
True  =<!  True 

Case:  Ea  =  true 

Contradiction  with  pconc  C  pabs 

Case:  Ea  =  unknown 

S cone,  pconc  h  R  yn  known 
True  =<!  Unknown 

Case:  Ea  =  bot 

Contradiction  with  pabs  final 


abs 


By  rule  rel  —  False 
By  rule  ^  —  = 


By  rule  rel  —  Unknown 
By  rule  =<!  —Unknown 


pconc(rel(f))  =  Ec  Ec  /  true  Ec  /  false 
Sconc;  pconc  (_  re|(£)  Unknown 


(REL— UNKNOWN— SOUND— COMPLETE) 


Let  R  =  rel  (€)  [cr] 

R  €  dom(pabs)  By  inversion  on  pconc  C  pabs 

Let  Ea  =  pQbs(R) 

By  case  analysis  on  Ea 

Case:  Ea  =  false 

Contradiction  with  pconc  C  pabs 


Case:  Ea  =  true 

Contradiction  with  pconc  C  pabs 


Case:  Ea  =  unknown 

By  rule  rel  —  Unknown 
By  rule  =<!  —Unknown 


cone,  pconc  |_  R  Unknown 
True  Unknown 


Case:  Ea  =  bot 
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Contradiction  with  pabs  final 


Case: 


■Bconc;  p  h  A  tc  !Bconc(£test)  =  tc  tc  7^  Unknown 

_ f  REL 

23 cortC;  pconc  |_  A/ftest  True 

£abs;pabs  |_  Ata 

tc  A  tQ 

By  case  analysis  on  tc 


Case:  tc  =  True 

By  case  analysis  on  ®abs(£test) 

Case:  'Babs(ltest)  =  True 
By  case  analysis  on  ta 
Case:  ta  =  True 

Babs;pabs  |_  A/ftest  True 
True  A  True 

Case:  ta  =  False 

Invalid  case  by  pconc  □  pabs 

Case:  tQ  =  Unknown 

fBQbs;  pabs  h  A/ftest  Unknown 
True  A  Unknown 

Case:  £abs(ltest)  =  False 

Invalid  case  by  03conc  23abs 

Case:  23abs(ltest)  =  Unknown 

rgabs.  pabs  |_  A/£tcst  Unknown 


Case:  tc  =  False 

By  case  analysis  on  23abs(ltest) 

Case:  'Babs(ltest)  =  False 
By  case  analysis  on  ta 
Case:  ta  =  False 

®Qbs;pabs  |_  A/ltest  False 
False  =<!  False 


TEST-TRUE) 

By  induction  hypothesis 
By  induction  hypothesis 


By  rule  Tel  —  test  —  True 
By  rule  ^  —  = 


By  rule  Tel  —  test  —  Unknownl 
By  rule  —Unknown 


By  rule  Tel  —  test  —  Unknown2 


By  rule  rel  —  test  —  False 
By  rule  ^  —  = 
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Case:  ta  =  True 

Invalid  case  by  pconc  C  pabs 


By  rule  rel  —  test  —  Unknownl 
By  rule  —Unknown 


Case:  tQ  =  Unknown 

rgabs.  pabs  h  A/ltest  Unknown 
False  ^  Unknown 


Case:  ®Qbs(«test)  =  True 

Invalid  case  by  13conc  Cs  Q3abs 

Case:  ®abs(ltest)  =  Unknown 

-gabs,  pabs  |_  A/ltest  Unknown  By  rule  rel  —  test  —  Unknown2 

Case:  tc  =  Unknown 

Invalid  case  by  tc  ^  Unknown 


Case: 


Bconc;  p  F  A  tj 


Bc°nc(ltest)  =  tj:  tf  7^  Unknownt^  /  Unknownt^  /  \\ 

£conc;  pconc  b  A/ltest  False 


(REL-TEST-FALSE) 


Babs;pabs  |_  A  tQ 

t1  A  t1 

By  case  analysis  on  t^ 


By  induction  hypothesis 
By  induction  hypothesis 


Case:  tj  =  True 
t^  =  False 

By  case  analysis  on  ,Babs(ltest) 


Case:  23abs(ltest)  =  False 
By  case  analysis  on  t^ 

Case:  t^  =  True 

£Qbs;  pabs  |_  A/ltest  False 
False  ^  False 


Case:  t^  =  False 

Invalid  case  by  pconc  C  pabs 


Case:  t^  =  Unknown 

-gabs,  pabs  g  A/ltest  Unknown 
False  ^  Unknown 


By  tlf  /  \\  and  t^  /  Unknown 


By  rule  rel  —  test  —  False 
By  rule  —  = 


By  rule  rel  —  test  —  Unknownl 
By  rule  ^  —Unknown 
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Case: 


Case:  ,BQbs(ltest)  =  True 

Invalid  case  by  ®conc  L_-B  BLlbs 

Case:  B>abs(ltest)  =  Unknown 

rgabs.  pabs  |_  A/itest  Unknown 

Case:  \\  =  False 
t\  =  True 

By  case  analysis  on  ‘Babs(ltest) 

Case:  ®Qbs(«test)  =  True 
By  case  analysis  on 
Case:  =  False 

£abs;pabs  h  A/£tes-t  False 
False  ^  False 

Case:  =  True 

Invalid  case  by  pconc  (Z  pabs 

Case:  =  Unknown 

“B abs.  pabs  (_  A/ltest  Unknown 
False  =<:  Unknown 

Case:  Babs(«test)  =  False 

Invalid  case  by  Bconc  BLlbs 

Case:  i>abs(ltest)  =  Unknown 

“B abs.  pabs  (_  A/itest  Unknown 

Case:  tj  =  Unknown 

Invalid  case  by  tc  ^  Unknown 


®conc.  pconc  (_AUnknown 

- (REL— TEST— U1 

®conc.  pconc  A/ltesX  Unknown 

■B abs.  pabs  |_  A  tQ 
Unknown  ===!  ta 

®abs.  pabs  (_  A/itest  Unknown 
Unknown  =<!  Unknown 


By  rule  rel  —  test  —  Unknown2 


By  t^  /  t^  and  t^  /  Unknown 


By  rule  rel  —  test  —  False 
By  rule  —  = 


By  rule  rel  —  test  —  Unknownl 
By  rule  ^  —Unknown 


By  rule  rel  —  test  —  Unknown2 


By  induction  hypothesis 
By  induction  hypothesis 
By  rule  rel  —  test  —  ul 
By  rule  ^  —Unknown 
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Case: 


■Bconc(4e st)  =  Unknown  ®conc;  pconc  F  A  tc 
Bconc;  pconc  F  A/€test  Unknown 


( REL— TEST— U2) 


Sabs;pabs  |_  AIq 

tc  A  ta 

■Bal:,s(£test)  =  Unknown 
■BCLbs.  pabs  !_  A/£test  Unknown 
Unknown  ^  Unknown 


By  induction  hypothesis 
By  induction  hypothesis 
By  Bconc  C-b  ®abs 
By  rule  rel  —  test  —  u2 
By  rule  ^  —Unknown 


Case: 


®  cone.  pConc  p  5  Unknown 
Bconc.  pconc  p  Unknown 


(^S— UNKNOWN) 


Sabs;pabshStQ 

Unknown  ===!  ta 
£abs;pabsh_s  Unknown 

Unknown  =<!  Unknown 


By  induction  hypothesis 
By  induction  hypothesis 
By  rule  _,S  —  Unknown 
By  rule  ^  —Unknown 


Case: 


sconc;pconch  Spa|se 
£Conc.  pconc  p  ^STme  ^S-JRUE 

Sabs;pabshStQ 


False  ^  ta 

By  case  analysis  on  the  value  of  ta 


By  induction  hypothesis 
By  induction  hypothesis 


Case:  ta  =  False 

■Babs.pabs  F  -S  True 
True  =<!  True 

Case:  ta  =  True 

Contradiction  with  False  =<;  ta 
Case:  ta  =  Unknown 

Sabs;pabs  p  _,s  Unknown 
True  =<:  Unknown 


By  rule  _,S  —  True 
By  rule  ^  —  = 


By  rule  _,S  —  Unknown 
By  rule  ^  —  = 


Case: 


rgconc.  pconc  |_  STrue 
sconc.  pconc  p  ^Spa|se 

Sabs;pabs  p  Sta 


(^R— FALSE) 


True  ta 

By  case  analysis  on  the  value  of  ta 


By  induction  hypothesis 
By  induction  hypothesis 
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Case:  ta  =  True 

Sabs;pabs  |_  pa|se 

False  ^  False 

Case:  ta  =  False 

Contradiction  with  True  ta 

Case:  ta  =  Unknown 

®abs;pnbs  b  -S  Unknown 
False  ^  Unknown 


By  rule  -,S  —  False 
By  rule  ^  —  = 


By  rule  _,S  —  Unknown 
By  rule  ^  —  = 


Case: 


sconc.  pConc  p  trueTrue  (TRUE| 

23 Qbs-  pabs  |_  trueTrue 
True  =b  True 


By  rule  true 
By  rule  ^  = 


Case: 


Sconc.  pconc  h  falSeFalse (FALSE) 
23  abs.  pabs  |_  falseFa|se 

False  ^  False 


By  rule  false 
By  rule  ^  —  = 


Remaining  cases  work  as  expected  for  a  three  value  logic. 


□ 
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Theorem  E.6.  Instruction  Binding  Complete 

forall  deriv. 

Aconc  ,AQbs 

Aconc  F  instr  :  op  (Zb,  Z^) 

exists  deriv. 

Aabs  F  instr  :  op  (Zb,  Z{[) 
1}  C  I1  U  Zu 

^"c  —  a  ^  a 

iu  c  zu 

^“C  —  a 

I*  D  Zl 
*“c  —  a 


Proof: 

By  case  analysis  on  the  structure  of  the  derivation  of  Flconc  F  instr  :  op  (Z£,  Z{{ ) 

FV(TtHvs-m(y  :  t)  :  Tret)  C  Fy 

(Zb,Z^)  =  findLabels(yiabs,  ry,{xret,Xthis}U  x, {ret,  this}  Uy) 

Case:  — — — — - T — —(invoke) 

Aconc.  |_  Xret  =  Xthis_m(x)  :  Tthis.m(y  :  t)  :  Tret  H>  (Zb,  ^c) 

(Zq,  Z{{)  =  fi nd Labels(ytabs,  Fy  ,{xret,  xthis)  U  x,  {ret,  this)  U  y)By  lemma  FindLabels  sound  and  complete 

By  lemma  FindLabels  sound  and  complete 
Z^  C  Z{{  By  lemma  FindLabels  sound  and  complete 

Z*  D  Z^  By  lemma  FindLabels  sound  and  complete 

yiQbs  F  xret  =  xthis.m(x)  :  TtHis.m(y  :  t)  :  Tret  w  (Zb  ,  Z£)  By  rule  invoke 


Case: 


FV{  new  x(y  :t))CFy 

(Zb,Z^)  =  findLabels(yiconc,  Ty ,{xret}  U  x, {this}  U  y) 
ytc°nc;  ry  F  xret  =  new  m(x)  :  new  T(y  :  t)  l=>  (Zb,Z^) 


(CONSTRUCTOR) 


(Z*,  Z{{)  =  find Labels(yiabs,  Fy ,{xret,  xthiS}  U  x,  {ret,  this)  U  y)By  lemma  FindLabels  sound  and  complete 
IJCZ^UZ^  By  lemma  FindLabels  sound  and  complete 

C  Z{{  By  lemma  FindLabels  sound  and  complete 

Z*  0  Z{L  By  lemma  FindLabels  sound  and  complete 

Flabs  F  xret  =  new  m(x)  :  new  T(y  :  t)  w  (Z*,  Z^)  By  rule  constructor 


yfconc;  py  F  eom  :  end-of-method  ({0},  0)  '  ' 

Flabs  F  eom  :  end-of-method  ({0},  0) 

Z1  C  Z*  U  Lu 

‘-c  —  ^~a  ^  ^~a 
Zu  C  Zu 

‘-c  —  ‘-a 

Z1  D  Zt 

‘-c  —  a 


By  rule  eom 

By  {0}  C  {0}  u  0 

By  0  C  0 
By  {0}  D  {0} 


□ 
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F  Soundness 

Theorem  F.l.  Soundness  of  Relations  Analysis 


forall  der. 

/alias  (A.abs,mstr)  =Aabs' 
faiiaslAc°ncMstr)=Aconc' 
pabs  final 
pconc  final 
<gconc  ^  (gabs 

Aconc  nA  Aabs 
A abs  b  pabs  consistent 
Aconc  b  pconc  consistent 

pCOTLC  |—  p<lbS 

/e;yiabs;Babs  (Pabs>  i-nstr)  =  pabs' 
exists  der. 

/e;yiconc;®conc  (pconCi  iustr)  =  pconc' 

pCOTtc'  |—  pabs' 

Proof:  [Soundness  of  Relation  Analysis] 


pQbs'  =  transfer(pQbs,AQbs')  FI  pabsA 
V  const  G  C  .  Aabs;‘Babspabs;  const  b  instr  > 


pabsA  =  u  [pUbsAj 

V  const  G  C  . 


ncortcA  i—  nabsA 

Aconc';  pconc;  cons  b  instr  p 

ncortcA  <1  nabsA 

y^conc'  |_  pConcA  consjstent 

3  R  .  V  i  .  dom(pfoncA]  =R 

Let  pConcA  _  u  (pConcAj 
p  cone  A  <-]  pabsA 
pConcA  (—  pabsA 

A conc'  |-  pConcA  consjstent 

Let  pconc"  =  transfer(pcorLC,ylconc,) 
yj^conc'  [_  pconc"  consistent 

dom(pconc")  =  dom(pconcA) 

Let  pconc'  =  pCOTtc,/  FI  pConcA 
pconc'  |—  pQbs' 


concA 

i 


By  inversion  on/g.^abs.^abs  (pabs,  instr)  =  pabs' 
A 

By  inversion  on/g^abs.^abs  (pabs,  instr)  =  pabs' 
By  inversion  on/g^abs.^abs  (pabs,  instr)  =  pabs 

By  Lemma  Soundness  of  Single  Constraint 
By  Lemma  Soundness  of  Single  Constraint 
By  Lemma  Soundness  of  Single  Constraint 
By  Lemma  Consistency  of  Single  Constraint 
By  Lemma  consistency  means  same  domain 
By  join  rule  applied  many  times 
By  Lemma  U  preserves  < 
By  Lemma  U  preserves  C 
By  Lemma  same  domains  mean  consistency 

By  Lemma  transfer  implies  consistency 
By  Lemma  consistency  means  same  domain 

By  rule  overmeets 
By  Lemma  FI  preserves  C 
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/e-,.Aconc;!Bconc  (pconc,  iustr)  =  pcorLC' 


By  rule  flow  —  cons 

□ 
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Theorem  F.2.  Soundness  of  Single  Constraint 


forall  deriv. 

Aconc  nA  Aabs 

<gconc  ^  .gabs 
pConc  [—  pdbs 

Aabs  h  pabs  consistent 
Aconc  h  pconc  consistent 
pconc  final 

AQbs;  pabs;  cons  h  Instr  pabsA 

exists  deriv. 

Aconc;  pconc;  cons  h  instr  w  pconcA 

pConc A  [—  pQbsA 
pConcA  ^  pabsA 


Proof: 

By  case  analysis  on  .Aabs;  ®abs;  pabs;  cons  h  instr  pabsA 


Case: 


cons  =  op  :  Pctx  = 
1^0  V  I-/0 

n  =  dPA 

IIP*  I 


req  4-  Q 
A 


P 

K  =  {p 

cr  e 


y^abs.  pv(cons)  i-  tnstr  :  op  l=> 
a  G  I*  A  Aabs;®abs;PQbs;ahpart 


Zu  A  y[abs-  gabs.  ^Qbs. , 


;p 


=  Hal 


Hal  =  He 


part 


cons 


fi*  iui 

cons 
Ai 


PA} 


Ttf  =  CP  t,  U  CP 


u 


A 


abs.  m  abs. 


‘BaDS;  pH01”;  cons  h  instr 


-{MATCH) 


Let  pA  =  ( .Id  ?A) 

yjponc  |_  ins^r  ;  op  l=4>  (Ib,  ) 

L  c  I1  u  Iu 

c  —  a  ^  a 
IU  C  Iu 

^“C  —  a 

I1  D  I1 

^“c  —  a 

By  case  analysis  on  the  property  ltcul-  =  0 


By  Lemma  Instruction  Binding  Sound 
By  lemma  Instruction  Binding  Sound 
By  lemma  Instruction  Binding  Sound 
By  lemma  Instruction  Binding  Sound 


Case:  X*Ul^  =  0 


Ll  =  0 
1^  =  0 

ACOViC\  -gconc.  pConc.  cons  |_  jnstr 
y^cortc  [_  j_conc  consistent 
A  abs  h  pA  consistent 
dom(_L4onc)  C  dom(pA) 


By  inversion  of  X*  U  ZJf  =  0 
By  inversion  of  X*  U  ZJf  =  0 
By  rule  not  —  match 
By  definition  of  ±A 
By  Lemma  partial  binding  consistent 
By  lemma  consistency  and  Ea  implies  p  domains  subset 


I  cone 
-‘-A 


V  R  I— >  Ec  G  _L 


A 
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Ec  =  bot 

He  E  Pa(R) 


By  definition  of  _L ^ 
By  rule  C  —bot 


V  R  H  Ec  6  lyfnC  •  Hc  E  Pa(R) 

E$TnC  E  Pa(R) 

1^  =  0 

K  =  0 


By  quantification  above 
By  rule  C  —  p 
By  D  L*  and  =  0 

By  mi  =  imi 


Let  p^A  =|  Pm' 

Where  yiabs;  ®abs;  pabs;  cru  (-part  cons  >  p^'  and  cru  G  1“  By  construction  of 
VRhE£  p^A  .  E  =  bot  V  E  =  unknown  By  J  makes  everything  bottom  or  top. 

V  pm  ^  m  •  V  R  i— >  E  G  Pm  .  E  =  bot  V  E  =  unknown  By  quantification 

VRhEgp^.E  =  bot  V  E  =  unknown  By  LJ  preserves  polarity 

VR  G  dom(_L/|conc)  . 


_L  /iconc  ( R)  =  bot  By  definition  of  _L 

Let  Ea  =  Pq(R) 

Case  analysis  on  the  value  of  EQ 
Ea  =  bot 

bot  <1  bot  By  rule  <  —  bot 

Ea  =  unknown 

bot  <  unknown  By  rule  <  —  unknown 

Ea  =  true 

Contradiction  with  VRi->EGpa.E  =  bot  V  E  =  unknown 
Ea  =  false 

Contradiction  with  VRi->EGp^.E  =  bot  V  E  =  unknown 

V  R  G  dom(_L/|conc )  .  _L^conc  (R)  <!  Pa (R) 

-E/|conc  <  pA 

Case:  U  ±  0 

im  0  V  im  0  By  inversion  on  U 

Let  3*  =  {pA  |  a  e  I*  A  Aconc;  B;  pconc;  o  hpart  cons  w  pA}  V  tr1  G  I*  . 


By  quantification 
By  rule  <  —  p 
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By  inversion  on  I*Cl*Ul£ 


Case  analysis  on  the  location  of  ct* 

e  Z-l 

3  distinct  p*A  €  CP*  .  AQbs;£Qbs;  pQbs;  a*  bpart  cons  w  p*A 
By  the  construction  of  IP*  and  |CP*  |  =  |Z*  | 

Aconc;  <g cone,  pconc.  g-t  |_part  corLS  »  p*ABy  lemma  partial  constraint  binding  sound 


yieone  ^  PcA  consistent 

By  lemma  parti al  constraint  consistent 

Pf  E  plaA 

By  lemma  partial  constraint  binding  sound 

PcA  <  PaA 

By  lemma  parti  al  constraint  binding  sound 

p*A  6  CP* 

By  construction  of  CP* 

cr*  E  la 

3  distinct  pf 

P^  =|  puA'  A  ^abs.igabs.  pabs.  fft  ^  CQns  ^  puA' 

By  the  construction  of  CP^  and  |1P^|  =  |Z^| 

Aconc;  cone,  pconc.  g-t  |_part  corLS  c_>  p*ABy  lemma  partial  constraint  binding  sound 


yiconc  b  PcA  consistent 

By  lemma  partial  constraint  consistent 

PcA  E  p^' 

By  lemma  parti  al  constraint  binding  sound 

CL 

VI 

CL 

By  lemma  partial  constraint  binding  sound 

p*A  C  p^ 

By  lemma  J  on  right  preserves  C 

p?<p¥ 

By  lemma  J  on  right  preserves  < 

p*A  G  CP* 

By  construction  of  CPJf 

V  a*  G  Z*  .  3  distinct  p*  E  CP*  .  Aconc;  'Bconc-  pconc;  a*  bpart  cons  w  p*  By  quantification  above 
| IP* |  =  |L*|  By  quantification  above  and  construction  of  IP* 


V  p*A  G  CP*  .  3  distinct  pA  G  CPa  •  p£A  E  PA 

By  quantification  above 

V  p*A  G  CP*  .  3  distinct  pA  G  CPa  .  p*A  <  pA 

By  quantification  above 

V  p*A  G  CP*  .  Aconc  b  p*A  consistent 

By  quantification  above 

Let  CP^  =  {pA  |  a  G  A  Aconc;  Bconc;  pconc;  a  hpart  cons  w  pA} 

V  (TU  G  . 

(ruel* 

By  inversion  on  C 

3  distinct  p^A'  G  CP^  .  Aabs;  CBabs;  pabs;  cru 

bpart  COrtS  ■->  p^' 

By  the  construction  of  CP^  and  CP^  =  Za 

Aconc.  Sconc.  pconc.  g.u  ^  cons  ^  puA 

By  lemma  partial  constraint  binding  sound 

Aconc  b  P^A  consistent 

Let  p^  =1  p^' 

By  lemma  parti  al  constraint  consistent 

dom(pcA/)  =  dom(pconc) 

Let  p?A  =X  PcA' 

By  lemma  consistency  implies  same  domain 

P^'  E  P^' 

By  lemma  partial  constraint  binding  sound 

P^'  <  P^' 

By  lemma  parti  al  constraint  binding  sound 

p-A  C  p-A 

By  lemma  J  preserves  O 

p-A<p-A 

By  lemma  J  preserves  < 
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By  construction  of 


Case: 


V  cru  G  ZJf  .  3  distinct  p^r  6  .  A  ;  H0 c;  pc  c;  cr11  hpart  cons  t  pjr  By  quantification  above 

ICP^I  =  L.u|  By  quantification  above  and  construction  of  CP* 


V  pJF4  G  CPJC  .  3  distinct  p^  G  E  Pa 

Vpf  GT^.3  distinct  p^fa.p^<  pA 

V  pJF4  G  CPJC  .  >lconc  h  Pc  A  consistent 
Let  CPc  =  CP*  U  CP^ 

3R  .  V  pc  G  CPc  .  dom(pc)  =  R 
Let  pA  =  (  El  CPc) 

^conc.^conc.  pconc.  cons  [_  instr  ^  pconcA 

V  pf  G  ?c  .  3  distinct  pA  G  CPa  •  PA  E  Pa 

V  pA  G  CPc  .  3  distinct  P^gJ’q.P^  Pa 
PA  E  PA 

PA^  Pa 


By  quantification  above 
By  quantification  above 
By  quantification  above 

By  inversion  on  consistency  of  each  p*A 

By  rule  match 
By  CPc  =  Rho*  U  RhoJ3 
By  CPc  =  Rho*  U  Rho^ 
By  EJ  preserves  C  and  <  on  sets 
By  IE  preserves  C  and  <  on  sets 


req 

abs.  mabs.  _abs. 


cons  =  op  :  Pctx  =>  Preq  4  Q  Aabs;FV(cons)  L  Instr  :  op  {=>  (0, 0) 


one 


Aaos\T> 

E  Instr  :  op  t#>  (I*,  I* ) 

C  E  U  Iu 

—  a  ^  *-a 
=  0 

EI£ 

=  0 

°nc;  23 Cone.  pConc.  cons  |_  tnstr  <— t  Ey|cor 
one  |_  j_conc  consistent 


;  cons  h  instr  c— t  E 


-{NO-MATCH) 


Aabs 


Ha  >  ■  E“nc(R)  =  bot 
E  E^bs  consistent 


G  dom(Econc 

s  i_  I  abs  , 

'  -‘-A  OWMJ.J'.V."!. 

G  dom(_l_4bs)  .  E“bs(R)  =  bot 
i(±5rnC)  —  dom(E^bs  By  lemma 

G  dom(_l_5fnc)  .  E“nc(R)  C  E“bs(R) 
ac  g  j_abs 

G  dom(_l_5fnc)  •  E“nc(R)  <  E“bs(R) 
ac  O  E°,bs 


By  Lemma  Instruction  Binding  Sound 
By  lemma  Instruction  Binding  Sound 
By  inversion  on  C 
By  lemma  Instruction  Binding  Sound 
By  inversion  on  C 
By  rule  not  —  match 
By  definition  of 
By  definition  of  Eyi 
By  definition  of 
By  definition  of  E^ 
consistency  and  En  implies  p  domains  subset 

By  rule  E  —bot 
By  rule  E  —  P 
By  rule  <  —  bot 
By  rule  <  —  p 


□ 
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Theorem  F.3.  Soundness  of  Constraint  with  Partial  Substitution 


forall  derlv. 

•Aconc  Oa  Aabs 

pConc  |—  pQt>s 

pabs  final 
pconc  final 

.Aabs  b  pabs  consistent 
Aconc  b  pconc  consistent 

Aa bs;Sabs.  pabs.  ff  ^  CQns  pabsA 
rgconc  |—  <gabs 

exists  deriv. 

btcorxc;  ® cone,  pconc.  ahpart  CQns  pconcA 
pConcA  |—  pabsA 
pConcA  <-]  pabsA 

Proof: 

By  case  analysis  on  .Aabs;  ,Babs;  pabs.  a  Fpart  cons  pabsA 


Case: 


cons  =  op  :  Pctx  =>  Preq  Q 

Ty  =  FV(op)  U  FV(Pctx)  U  FV(Q)  allValidSubs(AQbs;ffop;Fy)  =  (!*,!£) 

I*  ^  0  V  +  0  =  {pA  |  cr  e  I*  A  Aabs;  £' Qbs;  pabs;  a  bfuN  cons  w  pA} 

=  (X  pA  |  a  g  A  blQbs;  Babs;  pabs;  a  bfuM  cons  pA}  PA  =  IP*  U 
AQbs;  ® Qbs;  pabs;  ffop  bpart  cons  (  tl  PA) 


(BOUND) 


Let  pA  =<->  (  id  (PA) 
allValidSubs(blconc;CTop;ry)  =  (!*,!£) 

LcLur 

Iu  C  Iu 

^“C  —  a 

1}  D  1} 

^“C  —  a 

V  cr  G  I*  .  Aconc  b  cr  validFor  Fy 

V  cr  £  .  AcorLC  |_  a  va|idF0r  ry 

VcrGl*.  Aconc  b  a  validFor  FV(Pctx) 
Vff£l^.  Aconc  b  cr  validFor  FV(Pctx) 

By  case  analysis  on  the  property  I*  U  1“  =  0 


By  Lemma  All  Valid  Subs  sound  and  complete 
By  Lemma  All  Valid  Subs  sound  and  complete 
By  Lemma  All  Valid  Subs  sound  and  complete 
By  Lemma  All  Valid  Subs  sound  and  complete 
By  Lemma  All  Valid  Subs  sound  and  complete 
By  Lemma  All  Valid  Subs  sound  and  complete 

By  FV(Pctx)  C  Fy 
By  FV(Pctx)  C  Fy 


Case:  ljul^  =  0 

By  inversion  of  L*  U  =  0 
By  inversion  of  U  ZJ1  =  0 
By  rule  cant  —  bind 


AconC;  (B cone,  pconc.  cons  |-  vnStr  >  ±“nc 
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y^conc  |_  j_conc  consistent  By  definition  of  _L j± 

ytQbs  |_  pA  consistent  By  Lemma  forall  binding  consistent 

dom(_L“nc)  C  dom(pA)  By  lemma  consistency  and  Eyi  implies  p  domains  subset 

VRhEcg  ±“nc  . 

Ec  =  bot  By  definition  of  _Lji 

Ec  C  pA(R)  By  rule  C  —bot 


V  R  H  Ec  G  -L“nc  •  Ec  C  pA(R) 

^TnC  E  Pa(R) 

*1  =  0 
K  =  ® 

Vpfe^. 


By  quantification  above 
By  rule  C  —  p 
By  D  and  L\  =  0 
By  \ra\  =  |I*  | 


Let  p^  =1  p^' 

where  .Aabs;  f>abs;  pabs;  Efun  cons  *  p^A/  and  a11  E  By  construction  of 

VR^Eg  p^A  .  E  =  bot  V  E  =  unknown  By  £  creates  polarity 


V  p^  £  [Pq  .  V  R  h->  E  £  p^JA  .  E  =  bot  V  E  =  unknown  By  quantification 

VRh->E£pa.E  =  bot  V  E  =  unknown  By  LJ  preserves  polarity 

VR  £  dom(_L/|conc)  . 


-Ey^conc  (R)  =  bot  By  definition  of  _L 

Let  Ea  =  pA(R) 

Case  analysis  on  the  value  of  Ea 
Ea  =  bot 

bot  <  bot  By  rule  <  —  bot 

Ea  =  unknown 

bot  <1  unknown  By  rule  <  —  unknown 

Ea  =  true 

Contradiction  with  VRi— >E£pA.E  =  bot  V  E  =  unknown 
Ea  =  false 

Contradiction  with  VRi— >E£pA.E  =  bot  V  E  =  unknown 

V  R  £  dom(_Ly|conc )  .  _L^Conc  (R)  <1  pA(R)  By  quantification 

_L/lconc  <  pA  By  rule  <  —  p 
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Case:  IJuI^/0 

I*  7 -  0  V  1^  /  0  By  inversion  on  U 

Let  0*  =  {pA  |  o-  G  I*  A  Aconc;  £conc;  pconc;  o  hfuM  cons  pA}  V^Gl*. 


By  inversion  on  I*  C  L*  U 

Case  analysis  on  the  location  of  ct1 

^  G  La 

3  distinct  pbA  €  yxa  ■  Aabs;  "Babs;  pabs;  o1  hfun  cons  ■— >  p^ABy  the  construction  of  and  |lPb  |  =  | L 

y^conc.  Q3 cone.  pConc.  fft  |_fu||  corLS  ptA  gy  icmma  fug  constraint  binding  sound 

A  cone  b  PcA  consistent  By  lemma  full  constraint  consistent 

pbA  C  pbA  By  lemma  full  constraint  binding  sound 

PcA  —  PqA  By  lemma  full  constraint  binding  sound 

pbA  G  CPb  By  construction  of  lPb 


ff‘6l 


u 

a 


3  distinct  p^A  G  .  p^  =J  p^JA\Aabs;  ‘23abs;  pabs;  cr*  hfu||  cons  w  p^  By  the  consttuction  of 


Aconc.  jeonc.  pconc.  fft  |_f(j||  C(ms  w  ptA 

By  lemma  full  constraint  binding  sound 

A  cone  b  PcA  consistent 

By  lemma  full  constraint  consistent 

PcA  E  P^' 

By  lemma  full  constraint  binding  sound 

PcA  <  P^' 

By  lemma  full  constraint  binding  sound 

PcA  E  P^ 

By  lemma  J  on  abs  preserves  C 

PcA  <  PaA 

By  lemma  T  on  abs  preserves  < 

PtA  G  3* 

By  construction  of 

IP 


V  a1  G  .  3  distinct  pb  G  lPb  .  Aconc;  33corLC;  pconc;  cb  hfun  cons  c— >  pb  By  quantification  above 

|lPb|  =  |Lb|  By  quantification  above  and  construction  of  lPb 

V  p£A  £  lPb  .  3  distinct  pA  G  IP a  •  PcA  E  PA  By  quantification  above 

V  p*A  G  .  3  distinct  pA  G  1PQ  .  pbA  <  pA  By  quantification  above 

V  p£A  G  IP*  .  Aconc  b  p*A  consistent  By  quantification  above 

Let  =  {X  pA  |  ff  G  A  Aconc;  Sconc;  pconc;  a  bfun  cons  pA}  V  au  G  . 


By  inversion  on  L £  C  L ^ 

3  plaLA'  G  .  blabs;  !Babs;  pabs;  ctu  bfuN  cons 

c— >  p“ABy  the  construction  of  CP^  and  'P“ 

^conc.^conc.  pconc.  auhfu||  CQns  ^  puA' 

By  lemma  full  constraint  binding  sound 

A  cone  b  pbA  consistent 

By  lemma  full  constraint  consistent 

Let  p^A  =1  p^' 

dom(p^A  )  =  dom(pconc)By  lemma  consistency  implies  same  domain  Let  p^A  =J  p^A 

p-A  O  p^ 

By  lemma  full  constraint  binding  sound 

P^'  <  P^' 

By  lemma  full  constraint  binding  sound 

P^  E  P^A 

By  lemma  £  preserves  C 

Pc  A  <  PaA 

By  lemma  £  preserves  < 

P-A  G  T? 

By  construction  of  IP^1 
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Case: 


V  cru  6  L™  .  3  distinct  G  .  Ac  ,  CB;  p;  a11  rpart  cons  By  quantification  above 

|CPA  =  Z.u|  By  quantification  above  and  construction  of  CP* 


V  p^  G  CP^  .  3  distinct  pA  g  CPQ  ■  E  Pa 

V  p^  €  CP^  .  3  distinct  Pa  ^  ^Pa  •  Pc^  —  Pa 

V  p^  €  CPc  .  -A cone  E  P^A  consistent 
Let  CPc  =  CP*  U  CP^ 

3R  .  V  pc  €E  CPc  .  dom(pc)  =  R 
Let  pA  =  (  1=1  CPc) 

^conc.^conc.  pconc  CQns  ^  pconcA 

V  pA  <G  CPc  .  3  distinct  pA  G  CPQ  .  pA  O  pA 

V  pA  G  CPc  .  3  distinct  pA  G  CPa  .  pA  <  pA 
PA  E  Pa 

PA<Pa 


By  quantification  above 
By  quantification  above 
By  quantification  above 

By  inversion  on  consistency  of  each  p*A 

By  rule  bind 
By  CPc  =  Rho*  U  Rhoji 
By  CPc  =  Rho*  U  Rhoji 
By  LJ  preserves  C  and  <  on  sets 
By  LJ  preserves  C  and  <  on  sets 


ry  =  FV(op)  U  FV(Pctx)  U  FV(Q) 


cons  =  op  :  Pctx  =>  Preq  4  Q 
allValidSubs(A 


abs.  , 


1  opi  I~y )  —  (0>  0) 


n  abs.  <tj  abs.  _  abs.  _  i_ 

A  ,  H  ,  p  ,  crop  r 


part 


cons 


J-y^abs 


CANT— BIND) 


alidSubs(A' 

;l*Ulu 

—  *-a  ^  a 
=  0 

3^ 


cone. 
> 


•^Opi^y)  I  >  (Z*,  L 


;  cons  h  instr  <—>  _Lyi< 
1_  j_conc  consistent 


COTLC 


:  0 

c.  mconc.  nconc. 

c  h  J-^nc  consistent 
;  dom(l“nc)  .  _L“nc(R)  =  bot 
h  _L^bs  consistent 
;  domU“bs)  .  J_^bs(R)  =  bot 
(J_5Tnc)  C  dom(_L^bs  By  Lemma 

)  dom(J_5rnc)  .  _L“nc(R)  C  _L^bs(R) 

c  □  _Labs 

;  dom(l“nc)  .  _L“nc(R)  <  J_^bs(R) 

c  <-i  |  abs 


By  Lemma  All  Subs  Sound 
By  Lemma  All  Subs  Sound  and  complete 
By  inversion  on  C 
By  Lemma  All  Subs  Sound  and  complete 
By  inversion  on  C 
By  rule  cant  —  bind 
By  definition  of  _Lyt 
By  definition  of 
By  definition  of  _Lyt 
By  definition  of  _Lyt 
consistency  and  Ea  implies  p  domains  subset 

By  rule  C  —bot 
By  rule  O  —  p 
By  rule  <  —  bot 
By  rule  <  —  p 


□ 
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Theorem  F.4.  Soundness  of  Constraint  with  Full  Substitution 


forall  deriv. 


Aconc  C/i  FiQbs 
<j>conc  |—  .gabs 

pConc  |—  p<ibs 

A abs  F  pabs  consistent 
Aconc  F  pconc  consistent 
pabs  final 
pconc  final 

Aconc  F  crvalidFor  FV(Pctx) 
dom(ff)  =  dom(FV(cons)) 

n  abs.  mabs.  _abs.  ^  _absA 

J- 1  ,  n  ,  p  ,  cr  i  fu||  cons  — )  p 


exists  deriv. 


Ac 


cone,  rgconc.  „conc. 


;  pco  ,  a  FfuN  cons 


..  cone  A 


..  cone  A 


,absA 


pConcA  ^  pabsA 


Proof: 

By  case  analysis  on  ,/tabs.  -gabs.  pabs;  cr  Ffun  cons  pabsA 


Case: 


cons  =  op  :  Pctx  =F  Preq  4  Q  ®abs;  Pabs  I-  PctxM  False 

yjabs.«gabs.  pabs.  a  |_fu||  corLS  c_> 


(FULL-F-SOUND) 


■O - ;p  r  r ctx[0j  t- 

tc  F  False 

®conc.  pconc  [_  pctx[CT]  False 
Ffconc^conc.  pconc.  |_fu||  cons  ^  ±conc 

VRhEg  _L$°nc  .  E  =  bot 
VRhEG  J_conc  _  E  □  _Labs(R) 

I  cone  i—  |  abs 
-Lyi  1= 

VRhEg  _L“bs  .  E  =  bot 
VRhEg  pconcA  .  E  <  pQbsA(R) 


_icpnc  ^  _|_ 


abs 

A 


By  lemma  truth  sound 
By  lemma  truth  sound 
By  inversion  on  tc  F  False 
By  rule  full  —  sound  —  False 
By  definition  of  _L 
By  rule  C  — _L 
By  rule  C 
By  definition  of  _L 
By  rule  <  —  _L 
By  rule  < 


Case: 


cons  =  op  :  Pctx  =>  Preq  41  Q  £abs;  pabs  F  Pctx[c]  True 
(Zb,  =  allValidSubs(Flabs;  o;FV(cons)) 

]ff'e  I*  .  Babs;  pQbs  F  Preq  [a']  True 
FlQbS;®abs.  pabs.  a  |_fu||  cons  <_;>  lattice (Q[ff]) 


(FULL-T-SOUND) 
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tc  =<  True 


cone,  pconc  |_  p 


ctx 


[o']  tc 


3 


cone,  pconc  |_  p 


ctx[o]  True 
1^)  =  allValidSubs(.Aconc;  cr;FV(cons)) 


yjeone  p  avalidFor  FV(cons) 
Aconc  p  ava|idFor  FV(PTeq) 


V  a  G  I*  U  I* 

VffgljUlj 

I1  C  I*  U  Iu 

Iu  C  Iu 
^“c  —  a 

l£  D 

3  o'  g  I*  .  3Qbs;pQbs  h  Preq[o'[ 

, abs A  —  i  „  ++t „ „ C rV^t-1  ziabs  <gabs^ 


True 


Let  p 
P 
P 

pconc  A  <]  p 
y^coric.  rgeone 


=  lattice(Q[o],yi<: 


concA  =  lattice  [Q[o],yicorLC,  ®conc) 
concA  [—  pabsA 


absA 


;  pconc;  o  I  fu||  cons  — >  p 


concA 


By  lemma  truth  sound 
By  lemma  truth  sound 
By  inversion  on  tc  ^  True 
By  lemma  valid  subs  Sound  and  Complete 
By  lemma  valid  subs  Sound  and  Complete 
By  FV(Preq)  C  FV(cons) 
By  lemma  valid  subs  Sound  and  Complete 
By  lemma  valid  subs  Sound  and  Complete 
By  lemma  valid  subs  Sound  and  Complete 

Byi^n 

By  Lemma  lattice  sound 
By  Lemma  lattice  sound 
By  Lemma  lattice  sound 
By  rule  full  —  T  —  sound 


Case: 


cons  =  op  :  Pctx  =>  Preq  4  Q  3abs;  pabs  B  PctxM  Unknown 
(Ib  ,  I£)  =  a  1 1  Va  I  idSu  bs(yiabs;  o;  FV[cons) ) 

]o'e  I*  .  3abs;  pabs  h  Preq[o']  True  pabsA'  =  lattice(Q[o]) 

Aabs;3Qbs;  pabs;  o  hfuM  cons  pabsA' 


(FULL-U-SOUND) 


■gconc.  pconc  p  pctx[<j]  t  By  lemma  truth  sound 

Case  analysis  on  t 


Case:  t  =  True 


=  allValidSubs(yicorLC;  a;  FV(cons)) 
V  cr  G  U  .  yiconc  h  a  validFor  FV(cons) 
It  c  I1  U  Iu 
lu  c  Iu 

‘-c  —  *~a 
It  d  It 

3  o'  e  Ib  .  3abs;  pQbs  h  PTeq  [o']  True 
Let  pabsA'  =  lattlce(Q[cr],>lQbs,3abs) 
pConcA  =  lattice  (Q[CT],yiconc,  B‘ conc) 

pConcA  |—  pabsA' 
pConcA  <-]  pabsA' 

Let  pabsA  =£  pabsA' 

pConcA  |—  pabsA 
pConcA  pabsA 

^conc.^conc.  pconc.  ff  pfu||  cons  pconcA 


By  lemma  valid  subs  Sound  and  Complete 
By  lemma  valid  subs  Sound  and  Complete 
By  lemma  valid  subs  Sound  and  Complete 
By  lemma  valid  subs  Sound  and  Complete 
By  lemma  valid  subs  Sound  and  Complete 

By  Ic  2  la 

By  Lemma  lattice  sound 
By  Lemma  lattice  sound 
By  Lemma  lattice  sound 

By  Lemma  J  on  abs  preserves  C 
By  Lemma  J  on  abs  preserves  < 
By  rule  full  —  T  —  sound 


Case:  t  =  Unknown 
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=  allValidSubs(yicorLC;  a;  FV(cons)) 
V  cr  €  Ib  U  IJf  .  7lconc  h  a  validFor  FV(cons) 
It  C  Ll  U  Iu 

*~c  —  ^~a  ^  a 

iu  c  iu 

^■c  —  *-a 
I*  D  It 

3  a'  €  Ic  •  ®abs;  pabs  I-  PreqtcT']  True 
Let  pabsA'  =  lattlce(R[o],./labs,®abs) 
pconcA'  =  lattice  (R  [a],  >lconc,  ,Bconc) 

pConcA'  [—  pabsA' 
pConcA'  <-]  pabsA' 

Let  pabsA  =£  pabsA' 

Let  pCOTLCA  =J  pconcA' 
pconcA  |—  pabsA 
pconcA  <3  pabsA 

iA«mc;Bconc;  pconc.  hfu||  COns  ->  pconcA 


By  lemma  valid  subs  Sound  and  Complete 
By  lemma  valid  subs  Sound  and  Complete 
By  lemma  valid  subs  Sound  and  Complete 
By  lemma  valid  subs  Sound  and  Complete 
By  lemma  valid  subs  Sound  and  Complete 

By Ic  2  Iq 

By  Lemma  lattice  sound 
By  Lemma  lattice  sound 
By  Lemma  lattice  sound 

By  Lemma  T  preserves  C 
By  Lemma  T  preserves  < 
By  rule  full  —  U  —  sound 


Case:  t  =  False 

yic°nc;  pConc.  a  |_fun  cons  >  -L^nC 

Let  pQbsA  =1  pabsA' 

VRhEG  J_conc  £  =  bot 

VRhEg  _L«>nc  .  E  C  pQbsA(R) 

I  cone  i—  „absA 

-'-A  —  P 

VRhEg  pabsA  .  p  _  £0-t-  v  E  =  unknown 
VRhEg  T^onc  .  E  <  pabsA 

I  cone  <-i  „absA 

-'-A  —  P 

iAconc;<Bconc;  pconc.  a  |_fu||  cons  pconc 


By  rule  full  —  sound  —  False 

By  definition  of  _L 
By  rule  C  — _L 
By  rule  C 
By  £  creates  polarity 
By  rule  < 
By  rule  < 
By  rule  full  —  F  —  sound 


□ 
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Theorem  F.5.  Truth  Checking  Sound 


forall  deriv. 

pConc  [—  pQt>s 
rg  cone  |—  <gabs 

pabs  final 
pconc  final 

yiconc  E  cr  validFor  EV(P) 
Aconc  E  pconc  consistent 
rk;P“bshP[ff]t“ 

exists  deriv. 

■Bconc.  pconc  (_  p^c 

tc  =*  ta 


Proof: 

By  induction  on  pabs  E  P[ct]  ta 


Case: 


pQbs(rel(i)[cr])  =  true 

- , - 77 - (REL-TRUE 

■gabs.  pabs  |_  re|  (y )  [o-]  True 


Let  R  =  rel(£)[a] 

R  e  dom(pconc) 

Let  Ec  =  pconc(R) 

By  case  analysis  on  the  value  of  Ec 


Case:  Ec  =  true 

■Bconc.  pconc  (_  R  Tme 

True  ^  True 

Case:  Ec  =  false 

Contradiction  with  pconc  (Z  pabs 

Case:  Ec  =  unknown 

Contradiction  with  pconc  C  pabs 

Case:  Ec  =  bot 

Contradiction  with  pconc  final 


By  lemma  o  valid  and  p  consistent 


By  rule  rel  —  True 
By  rule  —  = 
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Case: 


Case: 


pabs(rel(£)[a])  =  false 

- T- - 7- - (REL-FALSE) 

£abs;pabshre|(-)[a]True 

Let  R  =  rel (€)  [cr] 

R  G  dom(pconc)  By  lemma  o  valid  and  p  consistent 

Let  Ec  =  pconc(R) 

By  case  analysis  on  the  value  of  Ec 


Case:  Ec  =  false 

<gconc.  pconc  |_  R  pa|se 

False  False 

Case:  Ec  =  true 

Contradiction  with  pconc  C  pabs 

Case:  Ec  =  unknown 

Contradiction  with  pconc  C  pabs 

Case:  Ec  =  hot 

Contradiction  with  pconc  final 


By  rule  rel  —  False 
By  rule  ^  —  = 


pQbs(rel(£))  =EQ  Ea  /  true  EQ  /  false 
<gabs.  pabs  |_  re|(£j  Unknown 


(REL-UNKNOWN-SOUND-COMPLETE) 


Ea  =  unknown  By  pabs  final 

Let  R  =  rel  (I)  [a] 

R  E  dom(pconc)  By  lemma  o  valid  and  p  consistent 

Let  Ec  =  pconc(R) 

By  case  analysis  on  the  value  of  Ec 


Case:  Ec  =  false 

■Scone,  pconc  (_  R  pa|se 

False  ^  Unknown 


By  rule  rel  —  False 
By  rule  ^  — U 


Case:  Ec  =  true 

Scom';  pconc  (_  R  Tme 

True  Unknown 


By  rule  rel  —  False 
By  rule  =<!  — U 


69 


Case:  Ec  =  unknown 


Bconc;  pconc  |_  R  Unknown 
Unknown  ^  Unknown 


By  rule  rel  —  False 
By  rule  =<!  — U 


Case:  Ec  =  bot 

Contradiction  with  pconc  final 


Case: 


rbs;phAtQ  BQbs(£test)  =tQ  tQ/  Unknown 

^abs.pabs  !_  A/l±est  True 


(REL-TEST-TRUE) 


■Bconc.  pconc  |_  A  tc 

tc  ^  ta 

By  case  analysis  on  tc 

Case:  tc  =  True 

®conc(£test)  =  True 
£Qbs;  pabs  u  A/ftest  True 
True  ^  True 

Case:  tc  =  False 

'Bconc(Z  test)  =  False 
23 abs.  pabs  |_  A/£test  True 

True  ^  True 

Case:  tc  =  Unknown 

Contradiction  with  'Bconc  C  Babs 


By  induction  hypothesis 


By  3corLC  Q  ‘gabs 
By  rule  rel  —  test  —  True 
By  rule  ^  —  = 


By  23conc  C  23abs 

By  rule  rel  —  test  —  True 
By  rule  ^  —  = 


Case: 


B 


abs. 


pF  At“  23a  s(Ftest)  =  t£  t^1  /  Unknownt^  /  Unknownt^1  /  t2 
Babs;pabs  F  A/ftest  False 


(REL-TEST-FALSE) 


■Bconc.  pconc  \-  A  ±c 
+  c  j  +a 

By  case  analysis  on  tf 


By  induction  hypothesis 


Case:  t^  =  True 

•BC°nC(£test)  =  tC2 
By  case  analysis  on  If 


By  Bc 


C  B 


abs 
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Case:  t\  =  True 

Contradiction  with  tf  ^  If  and  tf  /  tf  and  £conc  C  Babs 
Case:  tf  =  False 

By  rule  rel  —  test  —  False 
By  rule  ^  —  = 


£conc.  pconc  |_  A /£test  False 
False  A  False 


Case:  tf  =  Unknown 

Contradiction  with  Bcouc  C  £abs 


Case:  tf  =  False 

®conc(^test)  =  tf  By  ^conc  C  BQbs 

By  case  analysis  on  tf 


Case:  tf  =  True 

Contradiction  with  tf  A  tf  and  tf  /  tf  and  £conc  C  £abs 
Case:  tf  =  False 

By  rule  rel  —  test  —  False 
By  rule  A  —  = 


B cone,  pconc  |_  A/£test  False 
False  A  False 


Case:  tf  =  Unknown 

Contradiction  with  Bcouc  C  Babs 


Case:  tf  =  Unknown 

Contradiction  with  £conc  C  £Qbs 


Case: 


BQbs;pabs  |_  A  Unknown 

- T- - T- - (REL— TEST— U1 

£abs;  pQbs  F  A/£teSt  Unknown 

■Bconc.  pconc  |_  A  tc 

tf  A  Unknown 

Let  tf  =  Bconc(ttest)  By  case  analysis  on  tf 


Case:  tf  =  True 

Let  tf  =  ‘BcorLC(^teSt) 
By  case  analysis  on  tf 


By  induction  hypothesis 
By  induction  hypothesis 
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Case:  t\  =  True 


B cone.  pconc  h  A/£test  True 
True  A  Unknown 

Case:  \\  =  False 

B c°nc;  pconc  h  A/£test  False 
False  A  Unknown 

Case:  X.\  =  Unknown 

£conc.  pconc  h  A/£test  Unknown 
Unknown  A  Unknown 

Case:  =  False 

Let  =  Bconc(£test) 

By  case  analysis  on 

Case:  =  False 

£conc.  pconc  h  A/£test  True 
True  A  Unknown 

Case:  \\  =  True 

scone,  pconc  h  A/£test  False 
False  A  Unknown 

Case:  =  Unknown 

SCO™;  pconc  !_  A/£test  Unknown 
Unknown  A  Unknown 

Case:  tc  =  Unknown 

B abs.  pCLbs  !_  Attest  Unknown 
Unknown  =<I  Unknown 


Case: 


®abs(^test)  =  Unknown  Babs;  pabs  F  At? 

- T- - T- - {REL— TEST— U2) 

Ba  s;pa  s  F  A/£test  Unknown 


By  rule  rel  —  test  —  True 
By  rule  =<!  — U 


By  rule  rel  —  test  —  False 
By  rule  —U 


By  rule  rel  —  test  —  u2 
By  rule  =<:  — U 


By  rule  rel  —  test  —  True 
By  rule  =<!  — U 


By  rule  rel  —  test  —  False 
By  rule  — U 


By  rule  rel  —  test  —  u 2 
By  rule  =<!  — U 


By  rule  rel  —  test  —  ul 
By  rule  ^  —  = 
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■gconc.  pConc  |_  A  tc 

tc  -i  tQ 

T1  =5  t1 

By  case  analysis  on  q 

By  induction  hypothesis 
By  induction  hypothesis 

Case:  q  =  True 

Let  q  =  ®conc(£test) 

By  case  analysis  on  q 

Case:  t\  =  True 

®conc.  pconc  |_  A/£tesl  True 

True  =<!  Unknown 

By  rule  rel  —  test  —  True 
By  rule  — U 

Case:  q  =  False 

®conc.  pconc  h  A/£test  False 

False  =<!  Unknown 

By  rule  rel  —  test  —  False 
By  rule  —U 

Case:  q  =  Unknown 

®conc.  pconc  h  A/£test  Unknown 

Unknown  A  Unknown 

By  rule  rel  —  test  —  u2 
By  rule  — U 

Case:  =  False 

Let  q  =  ,Bconc(<!teSt) 

By  case  analysis  on 

Case:  q  =  False 

<gconc.  pconc  |_  A /£test  True 

True  A  Unknown 

By  rule  rel  —  test  —  True 
By  rule  —U 

Case:  q  =  True 

®conc.  pconc  h  A/£test  False 

False  =<!  Unknown 

By  rule  rel  —  test  —  False 
By  rule  — U 

Case:  q  =  Unknown 

®conc.  pconc  h  A/£test  Unknown 

Unknown  A  Unknown 

By  rule  rel  —  test  —  u2 
By  rule  — U 
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Case:  =  Unknown 

H abs;  pabs  F  A/itest  Unknown 

By  rule  rel  —  test  —  ul 

Unknown  ^  Unknown 

By  rule  ^  —  = 

Babs;pabs  |_  s  Unknown 

Case:  — r - r - (-s-unknown) 

sabs;pabsh_s  ynknown 

®conc.  pConc  |_  §  tc 

By  induction  hypothesis 

tc  ^  Unknown 

By  case  analysis  on  the  value  of  tc 

By  induction  hypothesis 

Case:  tc  =  True 

23 cone.  pconc  | - ,5  pa|se 

By  rule  -'S  —  False 

False  y!  Unknown 

By  rule  =<!  — U 

Case:  tc  =  False 

23 cone.  pconc  |_  True 

By  rule  -,S  —  True 

True  ==:  Unknown 

By  rule  — U 

Case:  tc  =  Unknown 

rg cone,  pconc  h  _s  Unknown 

By  rule  _,S  —  Unknown 

Unknown  ^  Unknown 

By  rule  — U 

23abs.  pabs  |_  Spa|se 

Case:  — t- - r - (-s-true) 

Babs;pabsF_STrue 

23 cone,  pconc  |—  §  Tc 

By  induction  hypothesis 

tc  ^  False 

By  case  analysis  on  the  value  of  tc 

By  induction  hypothesis 

Case:  tc  =  False 

23 cone.  pconc  |_  True 

By  rule  -,S  —  True 

True  =<:  Unknown 

By  rule  ^  — U 

Case:  tc  =  True 

Contradiction  with  tc  =<I  False 
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Case:  tc  =  Unknown 

Contradiction  with  tc  =<I  False 


Case: 


Sabs;pabs  !_  STrue 
sabs;pabsh_lSpa|se 


(^R— FALSE) 


®conc.  pConc  |_  §  tc 

tc  ^  True 

By  case  analysis  on  the  value  of  tc 


By  induction  hypothesis 
By  induction  hypothesis 


Case:  tc  =  True 

Sconc.  pconc  |_  pa|se 
False  ^  Unknown 


Case:  tc  =  False 

Contradiction  with  tc  =<:  True 
Case:  tc  =  Unknown 

Contradiction  with  tc  ^  True 


Case: 


- U - tL - ( TRUE) 

Babs;  pabs  F  trueTrue 
Bconc;  pconc  F  trueTrue 


True  ^  True 


By  rule  _,S  —  False 
By  rule  — U 


By  rule  true 
By  rule  ^  —  = 


Case: 


- r - t- - ( FALSE ) 

■Babs;  pabs  F  falseFalse 


®conc.  pconc  p  fatseFalse 
False  ^  False 


By  rule  false 
By  rule  ^  = 


Remaining  cases  work  as  expected  for  a  three  value  logic. 


□ 
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Theorem  F.6.  Instruction  Binding  Sound 

forall  deriv. 

blconc  nA  yiQbs 

Aabs  b  instr  :  op  (Zb,Z^) 

exists  deriv. 

blconc  I-  instr  :  op  (Zb,  Z^) 

Zb  C  I1  U  Zu 

^"c  —  a  ^  a 

iu  c  zu 

*~c  —  *~a 
D  I1 

Proof: 

By  case  analysis  on  the  structure  of  the  derivation  of  7labs  b  instr  :  op  M  (IlQI  Z{{) 

^V(TtHis.m(y  :  t)  :  Tret)  C  Fy 

(Z^,  Z£)  =  findLabels(blabs,  ry,{xret,xthis}U  x, {ret,  this}  Uy) 

Case:  — =- - — - - - - (invoke) 

J\  ;  ry  b  Xret  =  Xthis.mf  X  )  :  TtHis-ni (y  •  T)  '  ^ret  tb  (Za,  Za) 


Zb,  L£)  =  findLabels(blconc,  Fy ,  {xret,  xthiS)  U  x, {ret,  this)  U  y) 


ib  c  z  u  iy 

‘-c  —  *~a  ‘-a 

Zu  C  Iu 

*~c  —  *~a 

Ib  D  Zb 

*~c  —  *~a 

Ac 


b  xret  =  xthis.m(x)  :  TtHis.m(y  :  t)  :  rret 


By  lemma  FindLabels  sound  and  complete 
By  lemma  FindLabels  sound  and  complete 
By  lemma  FindLabels  sound  and  complete 
By  lemma  FindLabels  sound  and  complete 
(Z{,  Z{{)  By  rule  invoke 


Case: 


FV(  new  r(y  :  t))  C  Fy 

(I„,  Zq)  =  findLabels(blabs,  ry,{xret)  U  x, {this}  U  y) 

- 7- - - - (CONSTRUCTOR) 

blabs;  Fy  b  xret  =  new  m(x)  :  new  T(y  :  t)  l=b  (Zb,  Z{{) 


(Zb,  Zp)  =  find Labels(yiCOTLC,  Fy ,  {xret,  xthis}  U 

^cz{uz; 

Zu  C  Zu 

^“C  —  a 

Zb  D  Zb 

*~c  —  *-a 

blConC  |_  =  new  •  new  T(y  ;  ( 


:,  {ret,  this}  Uy) 

By  lemma  FindLabels  sound  and  complete 
By  lemma  FindLabels  sound  and  complete 
By  lemma  FindLabels  sound  and  complete 
By  lemma  FindLabels  sound  and  complete 
b,  ZJf)  By  rule  constructor 


- T- - (  EOM) 

Aa  s;  ry  b  eom  :  end-of-method  rb  ({0},  0) 

y^conc  |_  eom  :  end-of-method  tb  ({0},  0) 

By  rule  eom 

Zb  C  Zb  U 

By  {0}  c  {0}  u  0 

Iu  C  Iu 
^“c  —  a 

By  0  C  0 

1}  D  I1 

^“C  —  a 

By  {0}  D  {0} 

□ 
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G  Operator  Lemmas 

Theorem  G.l.  U  operator  preserves  C 
forallderivatumsof 

Ec°nc  ^  Eabs  A  Econc  g  £abs  A 

Econc  |j  Econc  _  Econc  A  Eabs  E  Eabs  _  Eabs 

existsderivatumsof 

Econc  |—  Eabs 

Proof: 

By  case  analysis  on  structure  of  the  derivation  of  E“bs  U  E“bs  =  Ectbs 


Case:  - (u-bot-l) 

bot  U  E  =  E 


E[°nc  =  bot 

p  cone  _  p  cone 

L_ 

pcoric  |—  pabs 


Case:  - (u-bot-ri 

EUbot  =  E 


E“nc  =  bot 

pconc  _  pcoric 

pcoric  [—  pabs 


Case: 


E  U  E  =  E 


(u— =) 


Econc  |—  Eabs 


EL  /  bot  Er  /  bot  Et  /  Et 

Case:  - (u-^) 

Et  LI  Er  =  unknown 

Econc  |—  Eabs 


By  inversion  on  E[onc  C  E“bs 
By  inversion  on  E[’onc  U  E£onc  =  Econc 

By  equality 


By  inversion  on  E£onc  C  E“bs 
By  inversion  on  Ef,nc  U  E^onc  =  Econc 

By  equality 


By  equality 


By  rule  C  —unknown 

□ 
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Theorem  G.2.  U  operator  preserves  < 


forall  deriv. 

dl  : Ef <  Ef 
d2  :  Ef  <  Ef 
d3:Ea  =  EtaUEf 
d4  :  Ec  =  Ef  U  Erc 

exists  deriv. 

d5  :  Ec  <  Ea 


Proof: 

By  case  analysis  on  d4 


Case: 


bot  UE'  =  Ef 


(U-BOT-L) 


By  case  analysis  on  dl 


Case:  - (<-bot) 

bot  < bot 

EQ  =  Ef 
Ec  <  EQ 

Case:  - (<  top) 

bot  <  unknown 

EQ  =  unknown 

Ec  <1  Ea 


Case: 


Ef  /  bot 

— - (<— OTHER) 

Ei<Ef  “ 

Invalid  case  by  Ef  =  bot 


By  inversion  on  d3 
By  Ef  <  Ef 


By  inversion  on  d3 
By  rule  <—  bot  or  <  -  unknown 


Case:  — - -(u-bot-r) 

Ef  U  bot  =  Ef 

By  case  analysis  on  d2 


Case:  - (<-bot) 

bot  < bot 

EQ  =  Ef1  By  inversion  on  d3 

Ec  <  Ea  By  Ef  <  Ef1 
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Case: 


- (<— ' TOP) 

bot  <  unknown 

Ea  =  unknown 

Ec  <3  Ea 


Case: 


Ef  /  bot 

Tf^Ef 


(<— OTHER) 


Invalid  case  by  Ef  =  bot 


By  inversion  on  d3 
By  rule  <1-  bot  or  <  —  unknown 


Case: 


ECUEC  =  EC 


(u-=) 


By  case  analysis  on  d3 


Case:  - -  (u-bot-L) 

bot  U  E“  =  E“ 

Ec  <3  EQ 


Case: 


Ef  U  bot  =  Ef 
Ec  <3  Ea 


(U-BOT-R) 


Case: 


EQUEQ  =  EQ 


(u  =) 


Ec  <1  Ea 


Ef  ±  bot  Ef  +  bot  Ef  +  Ef 

Case:  - - - x~— - 1  T  (u-# 

Ef  U  Ef  =  unknown 

By  case  on  whether  Ec  =  bot 

Case:  Ec  =  bot 
Ec  <  Ea 

Case:  Ec  =  jfiot 

Ec  <3  Ea 


„  Ef/bot  ErVbot  Ef^Ef 

Case:  - - - - - (u-^) 

Ef  U  Ef  =  unknown 


By  Ef  <  Ef 


By  Ef  <  Ef 


By  Ef  <  Ef 


By  rule  <  —  unknown 


By  rule  <—  ^ot 
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Ec  <1  EQ 


By  rule  <—  ]t> ot 


□ 
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Theorem  G.3.  hi  preserves  polarity 

forall  deriv. 

dl  :  E  =  Ex  hi  Et 
d 2  :  E;  =  bot  V  Ex  =  unknown 

exists  deriv. 

d4  :  E  =  bot  V  E  =  unknown 


Proof: 


By  case  analysis  on  dl 


Case:  - —  (eqtoin-=) 

Ei  Id  Er  =  Ei 

E  =  bot  V  E  =  unknown  By  Ex  =  bot  V  Ex  =  unknown 


Et/Er 

Case:  — — - (eqjoin-^) 

Ex  id  Er  =  unknown 


E  =  bot  V  E  =  unknown  By  E  =  unknown 


□ 
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Theorem  G.4.  id  less  precise  than  operands 


forall  deriv. 

dl  :  E  =  Et  \=i  Er 

exists  deriv. 

d2  :  EL  C  E 
d3  :ErCE 

Proof: 

By  case  analysis  on  dl 

Case:  - (eqjoin  -=) 

EhJE  =  E 

E^  C  EBy  rule  C  —  =  Er  C  E  By  rule  C  —  = 

Ei/Er 

Case:  — — - (eqjoin-^) 

Ei,  id  Er  =  unknown 

El  C  EBy  rule  C  —unknown  ErCE  By  rule  C  —unknown 

□ 
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Theorem  G.5.  id  maintains  super-precise  on  an  operand 

forall  deriv. 

dl  :  E  =  d  Er 
d2  :  E'  <  Et 

exists  deriv. 

d3  :  E'  <  E 


Proof: 


By  case  analysis  on  dl 


Case:  - (eqjoin-=) 

Ei  W  Ei.  =  Et  w 

E'  <  E  By  E'  <  Et 


Et/Er 

Case:  — — - (eqjoin-^) 

Et  id  Er  =  unknown 


E'  <  E  By  rule  <  —  unknown  or  <  —  other 


□ 
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Theorem  G.6.  id  preserves  C  and  < 


forall  deriv. 

Ec  =  Ef  dEf 
Ea  =  Ef  Id  Ef 
Ei  E  Ef 
Fc  IZ  Ea 
E[  <  Ef 
Ec  <1  Ea 

L_r  L_r 

exists  deriv. 

Ec  C  Ea 
Ec  <  Ea 


Proof: 


By  case  analysis  on  Ec  =  Ef  d  Ef 

Case:  EcaEc  =  EctEQI°IN-d 

By  case  analysis  on  Ea  =  Ef  d  Ef 


Case: 


EQdEa  =  EQ 


(EQJOIN— =) 


Ec  C  Ea 
Ec  <1  Ea 


By  Ef  C  Ef 
By  Ef  <  Ef 


Case: 


EiVEf 

Ef  d  Ef  =  unknown 


(EQJOIN-# 


Ec  C  Ea 
Ec  <1  Ea 


By  rule  C  —unknown 
By  rule  <  —  unknown  or  <  —  other 


Case: 


El  +  !l 

Ef  d  Ef  =  unknown 


(EQJOIN-# 


Ec  <  EQ 

By  case  analysis  on  Ea  =  Ef  d  Ef 


By  rule  <  —  other 


Case: 


EQdEa  =  EQ 


(EQJOIN-# 
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By  case  analysis  on  the  value  of  Ea 


Case:  Ea  =  unknown 

Ec  C  Ea 

Case:  Ea  =  bot 
Ef  =  bot 
Ef  =  bot 

Invalid  case  by  Ef  /  Ef 

Case:  Ea  =  true 
Ef  /  bot 
Ef  /  bot 
Ef  =  true 
Ef  =  true 

Invalid  case  by  Ef  /  Ef 

Case:  Ea  =  false 
Ef  /  bot 
Ef  /  bot 
Ef  =  false 
Ef  =  false 
Invalid  case  by  Ef  /  Ef 


Case: 


EiVE? 

Ef  blEra  =  unknown 


(EQJOIN-^) 


Ec  C  Ea 


By  rule  C  —unknown 


By  Ef  E  Ef 
By  Ef  C  Ef 


By  Ef  <  Ef 
By  Ef  <  Ef 
By  Ef  C  Ef 
By  Ef  C  Ef 


By  Ef  <  Ef 
By  Ef  <  Ef 
By  Ef  C  Ef 
By  Ef  C  Ef 


By  rule  C  —unknown 


□ 
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Theorem  G.7.  id  on  sets  preserves  E  and  < 
forall  der. 

dl  :  Pc  =  Id  yc 

d2  :  pa  =  dfPQ 

d3  :  V  p'  G  Tc  .  3  p^  G  Ta  •  Pc  E  Pa  A  Pc  d  Pa 

( where  each  p'  has  a  distinct  p'a) 

exists  der. 

d4  :  pc  E  Pa 

d5  :  pc  <  pa 

Proof: 


By  induction  on  dl 


Case:  pc  =  p' 

Let  p^  be  the  distinct  for  p'c 
By  case  analysis  on  the  form  of  CPa 


Case  Tq  =  {Pal 

Pc  E  Pa 

By  Pc  E  Pa 

Pc  d  Pa 

By  p^.  d  Pa 

Case  IP Q  =  {Pal u  d*a  where  7>/a^  0 

Pa  =  Pa  EJ  Pa  where  p"  =  d  (?a  ~  Pa) 

Pa  E  pa 

By  Lemma  d  less  precise  than  operands 

Pc  E  Pa 

By  E  transitive 

Pc  d  Pa 

By  Lemma  d  maintains  <  for  operand 

Pc  =  P'd(dIP') 

Let  p"  =  d  rc 

Let  p^  be  the  distinct  p’a  for  p' 

pQ  =  Pa  d  p"  where  p"  =  d  {?a  -  p'a) 

Pc  E  Pa 

By  induction  hypothesis 

Pcd  Pa 

By  induction  hypothesis 

Pc  E  p" 

By  induction  hypothesis 

Pc  <  Pa 

By  induction  hypothesis 

Pc  E  Pa 

By  Lemma  d  preserves  E  and  < 

Pc  d  Pa 

By  Lemma  d  preserves  E  and  < 
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□ 
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Theorem  G.8.  1  creates  polarity 

forall  der. 

dl  :J  E  =  E' 

exists  der. 

d2  :  E7  =  bot  VE'  =  unknown 


Proof: 


By  case  analysis  on  dl 


Case:  — - - — (I -bot) 

l  bot  =  bot 

E  /  bot 

Case :  - ( J  -unknown  ) 

J  E  =  unknown 

□ 
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Theorem  G.9.  1  on  abstract  preserves  C 


Proof: 

By  case  analysis  on  dl 

Case:  - t(C-bot) 

bot  C  EQ 

Ec  C  EQ 


forall  der. 

dl  :  Ec  C  Ea' 
d2  :J  Ea'  =  EQ 

exists  der. 

d2  :  Ec  C  Ea 


Case:  — - - (c-unknown) 

EC  unknown 


By  case  analysis  on  d2 


Case :  - (T— bot) 

J  bot  =  bot 

Invalid  case  since  Eq/  =  unknown 


Ea'  /  bot 

Case:  - - (J-unknown) 

J Ea  =  unknown 

Ec  C  Ea 


Ea  /  bot  Ea  /  unknown 

Case :  - 7 - - (c-=) 

EQ  C  Ea 


By  case  analysis  on  d2 

Case :  - - (T— bot) 

I  bot  =  bot 

Ec  C  Ea 


By  rule  C  —bot 


By  rule  C  —unknown 


By  rule  C  —  = 
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Ea'  /  bot 

Case:  - - (J-unknown) 

J Ea  =  unknown 

Ec  C  Ea  By  rule  C  —unknown 


□ 
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Theorem  G.10.  J  preserves  C 


forall  der. 

dl  :^EE' 
d2  :  Ea  =1  E^ 
d3  :  Ec  =|  E' 

exists  der. 

d4  :  Ec  C  Ea 


Proof: 


By  case  analysis  on  d3 


Case :  - (T  - -bot  ] 

I  bot  =  bot 

Ec  C  EQ  By  rule  C  -bot 


E^.  /  bot 

Case :  - — - (T  -unknown  ) 

l  E'.  -  unknown 

Eq  7^  bot 
|  E^  =  unknown 

Ec  IZ  EQ 


By  inversion  on  E'  C  E'L 
By  rule  J  —unknown 
By  rule  C  —unknown 


□ 
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Theorem  G.ll.  J  creates  < 


forall  der. 

dl  :  Ea  =1  E^ 
d2  :  Ec  =1  E' 

exists  der. 

d3 : Ec  < Ea 


Proof: 


Ea  =  unknown  V  Ea  =  bot 
Ec  —  unknown  V  Ec  =  bot 
By  case  analysis  on  the  value  of  Ec 


Case:  Ec  =  bot 

By  case  analysis  on  the  value  of  Ea 


Case:  Ea  =  bot 

Ec  <1  Ea 


Case:  Ea  =  unknown 

Ec  <3  Ea 


Case:  Ec  =  unknown 

Ec  <3  EQ 


By  lemma  J  creates  polarity 
By  lemma  J  creates  polarity 


By  rule  <  —  bot 


By  rule  <  —  unknown 


By  rule  <  —  other 

□ 
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Theorem  G.12.  FI  preserves  C 


forall  der. 


rconc 

Ll 

c 

Eahs  A 

rconc 

Qr 

r—  irabs 
—  Qr 

A 

rconc 

Ll 

F 

rconc  _ 

Qr 

£Conc 

A  Efbs 

fe 

m 

-i  O 

0 

p 

o 

<\ 

Ti  abs 

exists  der. 

£Conc 

c 

£abs 

Proof: 

Given  E£onc  C  E“bs,  E“nc 
Show  Econc  C  Eabs 


C  E 


abs 


Ec°nc  p|  E 


cone 

r 


pconc  pabs  p  pabs 


_  p  abs  a  cone 

L.  9 


<  E^bs 


By  case  analysis  on  the  structure  of  the  derivation  of  E£onc  F  E£onc  =  Econc 


Case: 


Econc  p  bQt  =  pconc 


( OVRMEET— BOT ) 


By  case  analysis  on  the  value  of  Erabs 


Case:  E“bs  =  bot 

pabs  _  pabs 
pconc  |—  pabs 


Case:  E“bs  =  unknown 

Eabs  =  unknown 
pconc  |—  pabs 


Case:  E“bs  =  true 

Invalid  case  because  E£onc  <  E“bs 
Case:  E“bs  =  false 

Invalid  case  because  E£onc  <3  E“bs 


Case: 


E^onc  /  bot 


£Conc  £Cortc  _ £Conc 


(OVRMEET— ?0T) 


E“bs  /  bot 

p  abs  _  p  abs 

l.  i_r 

pconc  |—  pabs 


By  inversion  on  E^bs  F  E^bs  =  Eabs 

By  equality 


By  inversion  on  E“bs  F  E^bs  =  Eabs 

By  rule  C  —unknown 


By  inversion  of  E“nc  C  E“bs 
By  inversion  of  E“bs  F  E^bs  =  Eabs 

By  equality 

□ 
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Theorem  G.13.  Lattice  with  substitution  is  sound 


forall  deriv. 

dl  :  pabs  =  lattice(Q[a],Aabs,!Babs) 

d2  :  ^conc  ^abs 

d3  :  'Bconc  ,Babs 

d4  :  yiconc  |—  avalidFor  FV(S) 

exists  deriv. 

d5  :  pconc  =  lattice]  Q  [a],  Aconc,  IB  conc) 
d6  :  pconc  C  pabs 
d 7  :  pconc  <  pabs 


Bpwfiuction  on  dl: 


Case: 


p?  =  lattice  (Q  [a]  ;Aabs;  f> abs)  p?  =  lattice[Q[a];./iabs;  ,Babs) 

- - = - U - T- - ( LIST) 

lattice(Q[a],  Q[a];Aabs;f>abs)  =  pf  U  pf 


pf  =  lattice  (Q  [a]  ;Aconc;  ,Bconc) 
pfEp? 

Pi<pf 

p^  =  lattice  (Q  [a]  ;AcorLC;  ‘BcorLC) 

P2EP2 

P2  —  P2 

Let  pc  =  p^  U  P2 
Let  pa  =  p“  U  p^1 
Pc  E  Pa 
Pc  <!  Pa 


By  induction  hypothesis 
By  induction  hypothesis 
By  induction  hypothesis 
By  induction  hypothesis 
By  induction  hypothesis 
By  induction  hypothesis 


By  Lemma  U  preserves  C 
By  Lemma  U  preserves  < 


C^sc  _ 

lattice(A[a];>lQbs;®Qbs) 


- (LATTICE-R) 

-l-^abs  [A[a]  1— >  true] 


Let  R  =  A  [a] 

Let  pa  =  -L^abs  [R  1— >  true] 

Aconc  h  _L_/^conc  consistent 
R  G  dom(_Lyi  cone  ) 

Let  pc  =  _L^conc  [R  i — }  true] 
l attic  e  ( A  [a] ;  A conc ;  "B  conc )  =  pc 
Pc  E  Pa 
Pc  <!  Pa 


By  definition  of  _l_yi 
By  Lemma  a  valid  and  p  consistent  gives  p  domain 

By  rule  lattice  —  R 
By  definition  of  ±ji 
By  definition  of  _L^ 


Case: 


lattice(^A[a];Aabs;'Babs)  =  _L/labs[A[a']  i— >  false] 


(LATTICE— -R) 
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Let  R  =  A[a] 

Let  pa  =  -L^abs  [R  i — t  false] 

A c°nc  h  _Ly^conC  consistent 
R  G  dom(_L/i  cone  ] 

Let  pc  =  _L/[conc[R  i — }  false] 
lattlce(-A[a];Aconc;®conc)  =  pc 
Pc  E  Pa 

pc  <  pa 


_  ®Qbs(ytest[cr])  =T 

C  i)cp*  _ 

1  attic  e  ( A  [a]  /y test  [a] ,  A  abs ,  ‘B  abs )  = 
Let  R  =  A  [a] 

Let  pa  =  -Lyjabs  [R  i  }  false] 

A.conc  h  _L^conc  consistent 

R  G  dom(_l_y|conc  ) 

®conc(ytest[o-])  =  True 

Let  pc  =  ±ji cone  [R  1-4  true] 

tattle  e  ( A  [a]  /ytest  [a] ;  Aconc;  ®  conc )  = 

pc  E  pa 

pc  <  pa 


Rest  of  the  cases  follow  in  a  similar  manner. 


By  definition  of  A^ 
By  Lemma  a  valid  and  p  consistent  gives  p  domain 

By  rule  lattice  —  ^R 
By  definition  of  A^ 
By  definition  of  A^ 


( LATTICE— R— TEST— T) 


By  definition  of  A  a 
By  Lemma  a  valid  and  p  consistent  gives  p  domain 

By  £conc  £abs 

pc  By  rule  lattice  —  R  —  test  —  t 

By  definition  of  A  a 
By  definition  of  A  a 


□ 
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Theorem  G.14.  Lattice  with  substitution  is  complete 


forall  deriv. 

pconc  =  lattice(Q[a],yiconc,®conc) 
Aconc  C*  AQbs 

rgconc  |—  bs 

exists  deriv. 

pQbs  =  lattice(Q[a],AQbs,(BQbs) 

pConc  [—  pabs 
pConc  ^  pabs 

Bpwfiuction  on  dl: 


Case: 


pf  =  lattice(Q[CT];Aconc;£conc^ 


pc2  =  lattice(Q[cr];Aconc;®conc' 


lattice(Q[a],  Q[a];Ac 

pf  =  lattice  (Q[a];AQbs;  ®abs) 

Pf  Epf 
P?<Pf 

pf  =  lattice  (Q  [a] ;  Pi abs;  ®abs) 
pf  E  Pz 
Pc2<Pz 

Let  pc  =  pf  U  pf 
Let  pa  =  pf  U  pf 
Pc  E  Pa 
Pc  <!  pa 


cone,  rgeone^  _ 


)  =  pf  U  pf 


-(LIST) 

By  induction  hypothesis 
By  induction  hypothesis 
By  induction  hypothesis 
By  induction  hypothesis 
By  induction  hypothesis 
By  induction  hypothesis 


By  Lemma  U  preserves  C 
By  Lemma  U  preserves  < 


Case: 


lattice(A[a];Aconc;13conc)  =  i^conc  [A[a]  1— >  true] 


(LATTICE— R) 


Let  R  =  A  [a] 

lattice(R;Aabs;'Babs)  =  Eyjabs[R  1— >  true] 

-Ly^conc  C  Eyjabs 
_Ly^conc  <1  Ey^abs 

_Ly^conc  [R  1— >  true]  C  Eyjabs  [R  1— >  true] 
Ey^conc  [R  1— >  true]  <  Eyjabs  [R  •— >  true] 


By  rule  lattice  —  R 
By  definition  of  hot 
By  definition  of  hot 
By  rule  C  —  p 
By  rule  <  —  p 


Case:  - — — — — — - (lattice— r) 

lattice(-,A[a];A  ;(B  )  =  Eyjconc  [A[a]  1— >  false] 

Let  R  =  A  [a] 

lattice(~'R;  Aabs;'Babs)  =  Eyjabs  [R  1— >  false]  By  rule  lattice  —  _,R 
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_Ly[conc  [Z  -Lyjabs 
_Ly[conc  <]  _Lyjabs 

A-J\co nc  [R  I — )  false]  Cl  _Ly^abs  [R  I — )  false] 
_Lyjconc  [R  i — }  false]  ^  _Ly^abs  [R  i — }  false] 


®conc(ytest[cr])  =  True 

C  iicp'  _ 

lattlce(A[a]/ytest[o'],yiconc)  rBconc)  =  Tyrone  [A [a]  i— >  true] 

Let  R  =  A  [ex] 

Letta  =  ‘Babs(ytest[cr]) 

True  ^  ta 

By  case  analysis  on  ta 


Case:  ta  =  True 

lattice(R/ytest[o],  Aabs,  23abs)  =  -L^abs  [R  i— >  true] 

_Ly|conc  C  Ty^abs 
-Lyqconc  55  -Ly[abs 

_Lyiconc  [R  i— >  true]  C  -L^abs  [R  i— >  true] 

Tyrone  [R  i— >  true]  <  -L^abs  [R  i — t  true] 


Case:  ta  =  False 

Invalid  case  by  True  =5  ta 


Case:  ta  =  True 

lattice] R/ytest [o'],  Aabs,  23abs)  =  _Ly,abs  [R  i— >  unknown] 

_Ly|conc  C  _l_y^abs 
-Lyqconc  55  -Ly[abs 

_Lyiconc  [R  i— >  true]  C  A^abs  [R  i— >  unknown] 

T^conc  [R  i— >  true]  <  -Ly^abs  [R  i — }  unknown] 


Rest  of  the  cases  follow  in  a  similar  manner. 


By  definition  of  bot 
By  definition  of  bot 
By  rule  C  —  p 
By  rule  <  —  p 


(LATTICE-R-TEST-T) 


By  £conc  Cs  Babs 


By  rule  lattice  —  R  —  test  —  t 
By  definition  of  bot 
By  definition  of  bot 
By  rule  C  —  p 
By  rule  <  —  p 


By  rule  lattice  —  R  —  test  —  u 
By  definition  of  bot 
By  definition  of  bot 
By  rule  C  —  p 
By  rule  <  —  p 


□ 
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Theorem  G.15.  a  valid  and  p  consistent  gives  p  domain 


Eixrafir)  D  dom(Fy) 

V  y  :  t  6  Ty  .  3  t'  .  t' 
dom(p)  =  {rel (€)  |  f  = 

y  =  dom(FV(rel(y))) 
Let  f  =  SR(rel) 

\  =  y[c] 

|£|  =  lyl  =  \r\=n 
Let  Fy  =  FV(rel(y)) 
ry  =  yo  :  To, . . . ,  yn  :  i 

V  i  £  1  . . .  n  .  3  x'  .  r1 
rel(y)[a]  €  dom(p) 


forall  derlv. 

dl  :<  TfjL  >L  a  validFor  FV(rel(y)) 
d2  :<  TfjL  >L  p  consistent 

exists  deriv. 

d3  :  rel(y)[cr]  e  dom(p) 


By  inversion  on  dl 

<:  Tf(a(y))  A  r1  <:  r  By  inversion  on  dl 

=  FR( rel )  A  |t|  =  |I|  =  n  A  V  i  e  1  . . .  n  .  3  x'  .  x'  <:  T|  A  %'  <:  Fr(ii)} 

By  inversion  on  d2 
By  inversion  on  FV 

By  dom(ff)  D  dom(ry) 
By  substitution  and  typing  of  rel 

rn  By  inversion  of  FV 

’  <:  Tt  A  t;  <:  r«(«i)  By  dom(cr)  D  dom(ry) 

By  construction  of  the  domain  of  p 

□ 
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Theorem  G.16.  U  preserves  consistency 


V/L,  Pi,  Pn  P- 

A  h  pi  consistent  A  A  h  pr  consistent  A  p  =  piUpr 
A  bp  consistent 


Proof: 


Let  A  =<  Fg;  L  > 

V  rel ( £)  €  dom(pi,)  .  fR(rel)  =  t  A  |f|  =  |£|  A  F^  satisfies  i  :  t 
dom(pi)  =  dom(p) 

V  rel(I)  €  dom(p)  .  fR(rel)  =  t  A  |t|  =  |l|  A  F^  satisfies  i  :  f 
A  b  p  consistent 


By  inversion  on  A  h  p\  consistent 
By  inversion  on  p  =  pt  U  pr 
By  dom(pt)  =  dom(p) 
By  rule  consistent 


□ 


Theorem  G.17.  id  preserves  consistency 


VA,  pt>  Pr,  P- 

A  h  pr  consistent  A  A  h  pr  consistent  A  p  =  pt  IF  pT 
A  h  p  consistent 


Proof: 


Let  A  =<  Fg;L  > 

V  rel(£)  6  dom(pr)  .  fR(rel)  =  t  A  |f|  =  |f|  A  F«  satisfies  i  :  t  By  inversion  on  A  h  p;  consistent 

dom(pt)  =  dom(p)  By  inversion  on  p  =  p^  hJ  pr 

V  rel ( £)  E  dom(p)  .  fR(rel)  =  f  A  |t|  =  |l|  A  F|  satisfies  1:  f  By  dom(pi)  =  dom(p) 

Ah  p  consistent  By  rule  consistent 


□ 

Theorem  G.18.  FI  preserves  consistency 
VA,  A' p,  Pa,  p'  ■ 

Ah  p  consistent  A  A'  h  Pa  consistent  A  p'  =  pL  pA  => 

A'  h  pr  consistent 

Proof: 
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Let  A'  =<  r£';L'  > 

V  rel(I)  G  dom(pA)  .  3£(rel)  =  f  A  |f|  =  |£|  A  F^  satisfies  I  :  f 
dom(p')  =  dom(pA) 

V  rel(I)  G  dom(p)  .  SR(rel)  =  f  A  [t|  =  \t\  A  F^  satisfies  I  :  f 
A'  E  p'  consistent 


By  inversion  on  A'  E  Pa  consistent 
By  inversion  on  p'  =  p  FI  pA 
By  dom(pt)  =  dom(p) 
By  rule  consistent 


□ 


Theorem  G.19.  Transfer  implies  consistency 

V  deriv. 

dl  :  p1  =  transfer(p,A) 

3  deriv. 

d2  :  A  E  p'  consistent 


Proof: 

E  =  p(R)  A  R  0  dom(p)  =>  E  =  unknown} 

By  inversion  on  dl 
By  construction  of  p' 
By  definition  of  _L ^ 
By  Lemma  same  domains  imply  same  consistency 


p'  =  {R  i— >  E  |  R  G  dom(_Lyi)  A  R  G  dom(p) 

dom(p')  =  dom(_L/i) 

A  E  consistent 
A  E  p'  consistent 


□ 
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Theorem  G.20.  Lattice  with  substitution  is  consistent 


forall  deriv. 

p  =  lattice(Q[a],  A,  f>) 
A  F  cr  validFor  FV(Q) 

exists  deriv. 

A  F  p  consistent 

Bpwfiuction  on  p  =  lattice (Q [a],  A,  (B) 


Pi  =  lattice  (Q  [a];  A;"B)  p2  =  lattice  (Q  [a];  A;  13) 

- = - (LIST) 

lattice (Q [a],  Q[a];A;(B)  =  pi  U  p2 

By  induction  hypothesis 
By  induction  hypothesis 
By  Lemma  U  preserves  consistency 


A  F  pi  consistent 
A  F  p2  consistent 
A  F  pi  LI  P2  consistent 


Case:  - — - : - — — - -(lattice-r) 

latticefAfo];  A;  (B)  =  _L/jA[cr]  i— >  true] 

Let  R  =  A  [a] 

A  F  _L/i  consistent  By  definition  of  _L/t 

R  G  dom(_Lyi)  By  Lemma  cr  valid  and  p  consistent  gives  p  domain 

dom(_L/i)  =  dom(_L/jR  i— >  true])  By  R  €  dom(_L/i) 

A  F  _L/JR  i— >  true]  consistent  By  rule  consistent 


Case:  - — - — — - -(lattice— r) 

lattice  (-■A  [a];  A;(B)  =  _L/jA[cr]  i— >  false] 

Let  R  =  A  [a] 

A  F  _L j\  consistent 
R  G  dom(_Lyi) 

dom(_L/i)  =  dom(_L/jR  i— >  false]) 

A  F  _L/JR  i— >  false]  consistent 

(BfytestW)  =True 

Case:  - — — - — - : - - - -(lattice-r-test-T) 

lattice(A[a]/ytest[a],  A,  (B)  =  -L/JR  i— >  true] 

Let  R  =  A  [a] 

A  F  _L/i  consistent  By  definition  of  _L ^ 

R  G  dom(_Lyi)  By  Lemma  cr  valid  and  p  consistent  gives  p  domain 

dom(_L/i)  =  dom(_L/jR  i— >  true])  By  R  G  dom(_L/i) 

A  F  _L/JR  i — t  true]  consistent  By  rule  consistent 


By  definition  of  _L/i 
By  Lemma  a  valid  and  p  consistent  gives  p  domain 

By  R  G  donJ-L/J 
By  rule  consistent 
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Rest  of  the  cases  follow  in  a  similar  manner. 


□ 
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Theorem  G.21.  Consistency  implies  same  domain 


V  derlv. 

dl  :<  iy,  £  >h  p-|  consistent 
d2  :<  TfjC  >h  P2  consistent 

3  derlv. 

dom(pi)  =  domfrhoi) 

Proof: 

dom(pi)  =  {rel (€)  |  t 
dom(p2)  =  {rel (€)  |  f 
dom(pi)  =  dom(p2) 

□ 


=  IR(rel)  A  |t|  =  |1|  =  n  A  V  i  G  1  . . .  n  .  3  t'  .  t'  <:  Tt  A  t'  <:  He  (ft)} 

By  inversion  on  dl 

=  IR(rel)  A  |t|  =  |l|  =  n  A  V I  G  1  . .  .n  .  3  t'  .  t'  <:  Tt  A  t'  <:  r,e (£*.)} 

By  inversion  on  d2 
By  construction  above 


Theorem  G.22.  Consistency  and  Qa  implies  domains  are  subset 

V  derlv. 

dl  :<  Fec;£c  >b  pc  consistent 
d2  :<  Fea;Ca  >b  pa  consistent 

d3  :<  rec;Cc  >Cyl<  r£a;Ca  > 

3  derlv. 

dom(pc)  C  dom(rhoa) 


Proof: 


dom(pc)  =  {rel(f)  1 1  =  3?(rel)  A  |f|  =  |I|  =  n  A  V  l  €  1  . . .  n  .  3  %'  .  x'  <:  Ti  A  %'  <:  rfc(f|)}By  inversion  on  dl 
dom(pa)  =  {rel(l)  |  f  =  CRf rel)  A  |f|  =  \i\  =  u  A  VI  G  1  . .  .n  .  3  t7  .  x'  <:  Tt  A  %'  <:  ya(f|)}By  inversion  on  d2 
Vrel(l)  G  dom(pc)  .  f  =  IR(rel)  A  |f|  =  \l\  =  n  A  V  l  G  1  . . . n  .  3  %'  .  x'  <:  Tt  A  t'  <:  F£c(fi) 

By  construction  of  dom(pc) 

dom(Ffa)  =  dom(r{c)  By  inversion  on  d3 

V  £  :  t  G  Ffc.  t  <:  rfa(f)  By  inversion  on  d3 

V  rel ( £)  G  dom(pc)  .  t  =  3?(rel)  A  |t|  =  |I|  =  n  A  V  l  G  1  . . .  n  .  3  t'  .  t'  <:  ^  A  r'  <:  rfa(£|)By  <:  transitive 

V  rel  (?)  G  dom(pc)  .  rel  (C)  G  dom(pa)By  construction  of  dom(pa)  dom(pc)  C  dom(pa)  By  C 


□ 


103 


Theorem  G.23.  Find  Labels  Sound  and  Complete 


forall  deriv. 

di  :<rec,cc>cyl<r£Q,i:Q> 

d2  :  |x|  =  |y |  =  n 

exists  deriv. 

d3  :  findLabels(<  Vf,  La  >,  Fy ,  x,  y)  =  (Z*,Z£) 
d4:findLabels(<  F{C,LC  >,Fy,x,y)  =  (Z*,Z£) 
ds-.z^cz^uz- 

d6 : Z- C  I- 
d7:L\DLl 

Proof: 


By  rule  find  Lab  els 


By  rule  find  Lab  els 
By  inversion  on  dl 
By  inversion  on  dl 
By  inversion  on  dl 
By  inversion  on  dl 
By  rewriting 
By  rewriting 


V  i  (1  . .  .n)  . 


Let  Ia  =  i(yi  1  t  f  i (yn  1  *  in)  I 
ViG  1  ...n.La(Xi)  ={«i}  A  rf(«i)  <:ry(yi)} 

Let  Ia  =  {(yt  >->  U (yn  1  t  | 

ViG  1  ...ndiGCIxi)  A  3  t' .  t' <:  r£a(«0  A  x'  <:  ry(yi)}  -  Z* 
d3:  findLabels(<  reQ,  La  >,  Ty ,  x,y)  =  (Z*,Z£) 

Let  Ll  =  {(yi  i-t  It),.  . . ,  (yn  •->  £n)  | 

ViG  l...n.  Lc(Xi)  =  {tj  A  <:  Fy(yi)} 

Let  Z^  =  {(yi  i->  U (yn  1  ^  in)  I 
ViG  1  ...n.tiGCc(xi)  A  3  t'  .  t'  <:  Vf{li)  A  t'  <:  Fy  (y,)}  -  L\ 
d4:  findLabels(<  Fec,Lc  >,Fy,x,y)  =  (Z*,Z£) 
dom(Lc)  =  dom(La) 
dom(r£c)  =  dom(rfa) 

Vf  :t'g  r^c.  x'  <:  F£a(f') 

Vx'hI'g  Lc.  V  C  La(x')  A  l'  ±  0 

V  £  G  dom(F{c)  .  r{c(£)  <:  Fea(£) 

V  x  G  dom(Lc)  .  Lc(x)  C  La(x)  A  Lc(x)  /  0 
Vo-gH. 


(yi  t— >  ft)  G  a 

{fi}  =  Lc(xi)  A  r£c(ft)  <:Fy(yi) 

«iGLa(xi)  A  r£c(tt)  <:Fy(yi) 
k  G  La(Xi)  A3t'.t'<:  rfa(£0  A  t'  <:  ry(yi) 


By  |cr|  =  n 
By  construction  of  a 
By  Lc(xi)  C  La(xi) 
By  x'  =  Ff  (Ft)  and  Fec(£t)  <:  r^(Lt) 


OGZ^UZ 


U 

a 


By  quantification  above 
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By  quantification  above 


d5:  C  I^lJl 


U 

a 


V  a  g  L? . 


V  i  (1  . .  .n)  . 


(yi  >  fi)  G  o 

k  €  £c(xt)  r£c(€0  A  t'  <:  ry(Yi) 

ft  €  £Q(xi)  rfc(ft)  A  t'  <:  ry(yi) 

ft  G  £Q(Xi)  A  l?(«t)  A  t'  <:  ry(Yi) 


By  |a|  =  n 
By  construction  of  a 
By  £c(xt)  C  £a(xt) 

By  rf(ft)  <:  r-(ft) 


a  G 


Iu 

a 


By  quantification  above 


d6:  C  By  quantification  above 

V  cr  G  Iq  . 

V  i  (1  . .  .tv)  . 


(yi  >  ft)  G  cr 

{ft}  =  £Q(xt)  A  r-(ft)  <:  ry(Yi) 
{ft}  =  zc(Xi)  a  r“(ft)  c  ry(Yi) 
{ft}  =  zc(Xi)  a  rea(ft)  c  ry(Yi) 


By  |a|  =  n 
By  construction  of  a 
By  £c(xt)  C  £a(xt)  and  £c(xt)  /  0 
By  rfc(ft)  <:  T“(ft) 


o'  G 


n 


By  quantification  above 


d7:  L\  D  I 


t 

a 


By  quantification  above 


□ 
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Theorem  G.24.  All  Valid  Substitutions  Sound  and  Complete 
forall  deriv. 

dl  :<  F?C;LC  >Cyl<  rfQ;£a> 

exists  deriv. 

d2:allValidSubs(<  rf;Ca  >;  a;  Fy)  =  (Z*,Z£) 

d3  :  a  1 1  Va  I  idSu  bs(  <  rec;Lc  >;  cr;  Ty )  =  (Z£,Z£) 

d4  :VaG  I*  Ul£.  <  rfQ;CQ>b  avalidForTy 

d5  :  V  a  G  Z*  U  ZJi  .  <  F£C;LC  >F  a  valid  For  Ty 

dbil^ci^ul- 

d7:I^Cl- 

d8  :  Z*  D  Ll 


Proof: 


Let  Z*  =  {a'  |  cr'  D  cr  A  dom(a')  =  dom(Fy)  A 
V  y  H  f  £  c'  .  rfa(£)  <:  Fy(y)} 

Let  Z^  =  {a'  |  a'  D  a  A  dom(a')  =  dom(Fy)  A 
VyHlea'.Bt'.T'cr;^)  A  t'  <:  Fy(y)}  -  Z* 
d2:  allValidSubs(<  Tfa;  A a  >;  a;  Fy )  =  (Z*,Z“) 

Va  F  Z*.  dom(tr)  =  dom(Fy)  A  V  y  g  1  6  <r  .  ]  t' 


Va  g  Z^  .  dom(a)  =  dom(Fy)  AVyHlGtrAt' 
"t  1  1  ru  .  dom(cr)  =  dom(ry)  A  V  y  i— >  i  G  a 

nuz^ 


Vtr  G  ZjUZla 


.  t  <: 
.  t'  <: 
3t'  . 


<  Fea;La  >F  avalidFor  ry 


By  rule  vatidSubs 

Fea(£)  A  t'  <:  Fy  (y)By  construction  of  Z*  and  t'  =  rfa(£) 

rfQ(i)  A  t'  <:  Fy  (y)  By  construction  of  Z^ 

t'  <:  Fea(£)  A  t'  <:  Fy  (y)By  U  and  above  predicates 

By  rule  a  —  vaiid 


d4:  Va  G  Z 

Let  Z£  =  {a'  a'  3  a  A  dom(a')  =  dom(ry)  A 
VyHtGa'.r{c(t)  <:Fy(y)} 

Let  ZJi  =  {a'  |  a'  D  a  A  dom(a')  =  dom(Fy)  A 
V  y  i— >  f  G  a'AV.V  <:F,c(f)  A  t'  <:  Fy  fy)}  -  Z* 
d3:  allValidSubs(<  rfc;Lc  >;a;Fy)  =  (Z^Z^) 

Va  G  Z*  .  dom(a)  =  dom(ry)  A  V  y  G  I  G  a  .  3  V  .  t'  <:  rfc(£)  A  t'  <:  ry  (y)By  construction  of  Z£  and  r'  =  Fec(f) 


By  rule  vatidSubs 


Va  G  Zj  .  dom(a)  =  dom(Fy)  A  V y  g  f  G  a  .  3  V  .  t'  <: 
Va  G  Z*  U  Z^ .  dom(a)  =  dom(ry)  AVyGlGa.BV. 
d5:  Va  G  Z*  U  Z ^  ,  <  rfc;Lc  >F  a  validFor  Fy 
dom(Lc)  =  dom(La) 
dom(rfc)  =  dom(rfa) 

V«':t'  G  rec.r'  <:  Ff(t') 

Vx'nf'G  Lc.  V  C  LQ(x/)  A  I'  ^  0 

V  £  G  dom(rfc)  .  Ffc(£)  <:  Fea(£) 

V  x  G  dom(Lc)  .  Lc(x)  C  La(x)  A  Lc(x)  /  0 

V  a'  G  Z*  . 


rfc(t)  A  r'  <:  Fy  (y)  By  construction  of  ZJi 
t'  <:  rta(i)  A  t'  <:  Fy  ( y ) B y  U  and  above  predicates 

By  rule  a  —  vaiid 
By  inversion  on  dl 
By  inversion  on  dl 
By  inversion  on  dl 
By  inversion  on  dl 
By  rewriting 
By  rewriting 


a'  D  a 


By  construction  of  a' 
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dom(a/)  =  dom(ry) 

V  (y  i— >  i)  G  a'  . 


By  construction  of  cr' 


d4:  Z; 

V  cr'  ( 


d5:  i; 

V  cr  e 


17(f)  <:  Py  (y)  By  construction  of  cr' 

3t'  .  t'  <:  A  t'  <:  ry(y)  By  t'  =  rf(f)  and  rec(€t)  <:  r?(fi) 


V  (y  H  i)  6  a'  .  3t'  .  t'  <:  rfa(f)  A  t'  <:  Fy  (y) 

tr'  £  IlQ  U  Zq  By  construction  of  I*  and  Z^ 


CI‘UZ 


u 

a 


By  quantification  above 


:  Lu 

-  c 


cr'  D  <y 

dom(ff')  =  dom(ry) 

V  (y  h  I)  e  a'  . 


By  construction  of  cr' 
By  construction  of  cr' 


<:  T{c(f)  A  t'  <:  ry(y) 
Br'.r'  <:  r fa(f)  A  t'  <:  ry(y) 


By  construction  of  cr' 

By  r{c(£)  <:  rf(f) 


V(yH«)ea'.  3t'  .  t'  <:  rfa(f)  A  t'  <:  ry(y) 


a'GZ- 

By  construction  of  Z)( 

^z^ 

By  quantification  above 

^a- 

a'  D  a 

By  construction  of  cr' 

dom(a')  =  dom(ry) 

By  construction  of  cr' 

V  (y  1— >  f)  g  a' . 

rfQ(f)  <:  ry(y) 

By  construction  of  cr' 

17(f)  c  ry(y) 

By  17 (fO  <:  r?(ft) 
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By  construction  of  1* 


V  (y  h->  «)  €  o'  .  rf(i)  <:  Fy  (y ) 
o'  g  Llc 


d6:  X*  D  X*  By  quantification  above 


□ 
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